Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generate lookup tables from searches with guarantee of unique entries

mzorzi
Splunk Employee
Splunk Employee
‎05-17-2013 05:18 AM

what is the most efficient way to achieve this.

I run search #1 that populates the lookup table file with data.

Then search #2 will search for values a specific field in the lookup table and only reports events that are NOT a match for anything already in the lookup table.

Finally I append the results of the second search to the same lookup table. So in the end my lookup file will now have 1 list of unique entries combined from 2 different searches.

Is that possible? Otherwise , what would be the most efficient way?

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-17-2013 06:17 AM

Well, starting from this:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

You could probably achieve something similar to your wishes. I have created a search (no access to it at the moment - could post later) which - in pseudo search language - works like this for maintaining a list of userid's;

sourcetype=xxx userid=* NOT [search |inputlookup userid_file | fields + userid] | fields + userid | outputlookup append=t userid_file

OR this (don't remember)

sourcetype=xxx userid=* | fields + userid | inputlookup append=t userid_file | dedup userid | outputlookup userid_file

EDIT: several small fixes.

Good luck
/Kristian

0 Karma
Reply

kml_uvce
Builder
‎05-17-2013 05:27 AM

please explain it with some data..

kamal singh bisht
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...