Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Generate lookup tables from searches with guarantee of unique entries

mzorzi
Splunk Employee
Splunk Employee
‎05-17-2013 05:18 AM

what is the most efficient way to achieve this.

I run search #1 that populates the lookup table file with data.

Then search #2 will search for values a specific field in the lookup table and only reports events that are NOT a match for anything already in the lookup table.

Finally I append the results of the second search to the same lookup table. So in the end my lookup file will now have 1 list of unique entries combined from 2 different searches.

Is that possible? Otherwise , what would be the most efficient way?

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-17-2013 06:17 AM

Well, starting from this:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

You could probably achieve something similar to your wishes. I have created a search (no access to it at the moment - could post later) which - in pseudo search language - works like this for maintaining a list of userid's;

sourcetype=xxx userid=* NOT [search |inputlookup userid_file | fields + userid] | fields + userid | outputlookup append=t userid_file

OR this (don't remember)

sourcetype=xxx userid=* | fields + userid | inputlookup append=t userid_file | dedup userid | outputlookup userid_file

EDIT: several small fixes.

Good luck
/Kristian

0 Karma
Reply

kml_uvce
Builder
‎05-17-2013 05:27 AM

please explain it with some data..

kamal singh bisht
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...