Splunk Search

How can I combine 2 searches consisting of inputlookup and outputlookups?

pc1234
Explorer

how can i combine queries to populate a lookup table?
I have a lookup table with the following values

item

1
2
3
i'm using the splunk web framework to allow a user to insert an item. if the user enters 3 then item 3 is changed to 4 and item 3 is inserted. the field input_item represents the value entered by the user. i'm using the query below to first renumber item 3 to 4 and to insert item 3 via an appended search.

| inputlookup item.csv
| eval input_item = 3
| eval itemnumber = if(itemnumber >= input_item, itemnumber +1, itemnumber)
| fields - input_item
| outputlookup item.csv
| append [
| inputlookup item.csv | stats count as testcount
| eval input_item =3
| eval itemnumber = input_item
| fields - testcount
| outputlookup item.csv append=true]
unfortunately, the new item is created with a value of 4 instead of 3.
is there way to combine these two queries or do i need to create 2 separate queries via 2 separate searches in the search manager?

thanks in advance,
Peter

0 Karma

niketn
Legend

@pc1234 since you are anyways using Splunk Web Framework, this scenario seems to be a valid case for KV Store. So, you should try KV Store in place of Lookup: http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZT

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

MonkeyK
Builder

PC1234, looks like you just want to modify your CSV and add a row to it. I am guessing that the csv gets evaluated once in the query, so try this:

| inputlookup item.csv 
| eval input_item = 3
| eval itemnumber = if(itemnumber >= input_item, itemnumber +1, itemnumber)
| append [|makeresults | eval itemnumber = input_item | table itemnumber]
| fields - input_item
| outputlookup item.csv
0 Karma

MonkeyK
Builder

FYI, I verified that the lookup is only loaded/evaluated when the search gets parsed by doing this:

|  makeresults
 |  eval data= "ITEM=1 ;ITEM=2; ITEM=3"
 |  makemv data delim=";"
 |  mvexpand data
 |  rename data as _raw  |  KV |  table ITEM | outputlookup items.csv | append [|inputlookup items.csv]

If the lookukp were processed for each reference, I would get two records each for ITEM=1, ITEM=2, ITEM=3
Instead the results look like:

ITEM
1
2
3

Run the same query again and I get:

ITEM
1
2
3
1
2
3
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...