Splunk Search

How do you add search results to an existing lookup?

rajasekhar14
Path Finder

i have a table that has 30 columns and some rows,

table 1
column1 column2 ---------- column30
ww xx -------------------------- aa

expecting table will like this
column1 column2 ---------- column30

ww xx -------------------------- aa



etc...

so my question is how to add more rows to it without deleting the old lookup.

0 Karma

vishaltaneja070
Motivator

Try this:

| appendpipe [| inputlookup abc.csv ] | eval key = column1."|".column2."|".column3
| dedup key
|outputlookup abc.csv append=false

0 Karma

Vijeta
Influencer
<your query>| outputlookup append=true <yourlookupname>
0 Karma

rajasekhar14
Path Finder

thanks @vijeta its appending all results again and again. it be coming duplicates rows every time? my goal is, we have a existing table with some values(rows) and when ever i search it give the same values or new values. So if the values are same as in table it no need to add those values to existing table. if the values are new only it need to add to that lookup table.

0 Karma

Vijeta
Influencer

I need to see your query .

0 Karma

rajasekhar14
Path Finder

i using another lookup table to search the data, my query will be like this
|inputlookup my_lookup | eval a=b |eval c=g |eval d=e | table b g e|outputlookup new_lookup
after your answer i changed my query to like this
|inputlookup my_lookup | eval a=b |eval c=g |eval d=e | table b g e |outputlookup append=true new_lookup

0 Karma

Vijeta
Influencer

This will add to your new lookup whatever you are getting from old lookup. Do you want to overwrite new lookup ?

0 Karma

rajasekhar14
Path Finder

NO, if there are any new values coming from my search that values to be add my new lookup table. which type of command do i need to use ?

0 Karma

Vijeta
Influencer

In that case append= false, did you try that.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...