Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generate lookup tables from searches with guarantee of unique entries

mzorzi
Splunk Employee
Splunk Employee
‎05-17-2013 05:18 AM

what is the most efficient way to achieve this.

I run search #1 that populates the lookup table file with data.

Then search #2 will search for values a specific field in the lookup table and only reports events that are NOT a match for anything already in the lookup table.

Finally I append the results of the second search to the same lookup table. So in the end my lookup file will now have 1 list of unique entries combined from 2 different searches.

Is that possible? Otherwise , what would be the most efficient way?

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-17-2013 06:17 AM

Well, starting from this:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

You could probably achieve something similar to your wishes. I have created a search (no access to it at the moment - could post later) which - in pseudo search language - works like this for maintaining a list of userid's;

sourcetype=xxx userid=* NOT [search |inputlookup userid_file | fields + userid] | fields + userid | outputlookup append=t userid_file

OR this (don't remember)

sourcetype=xxx userid=* | fields + userid | inputlookup append=t userid_file | dedup userid | outputlookup userid_file

EDIT: several small fixes.

Good luck
/Kristian

0 Karma
Reply

kml_uvce
Builder
‎05-17-2013 05:27 AM

please explain it with some data..

kamal singh bisht
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...