- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you add search results to an existing l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you add search results to an existing lookup?
i have a table that has 30 columns and some rows,
table 1
column1 column2 ---------- column30
ww xx -------------------------- aa
expecting table will like this
column1 column2 ---------- column30
ww xx -------------------------- aa
etc...
so my question is how to add more rows to it without deleting the old lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| appendpipe [| inputlookup abc.csv ] | eval key = column1."|".column2."|".column3
| dedup key
|outputlookup abc.csv append=false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<your query>| outputlookup append=true <yourlookupname>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @vijeta its appending all results again and again. it be coming duplicates rows every time? my goal is, we have a existing table with some values(rows) and when ever i search it give the same values or new values. So if the values are same as in table it no need to add those values to existing table. if the values are new only it need to add to that lookup table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to see your query .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i using another lookup table to search the data, my query will be like this
|inputlookup my_lookup | eval a=b |eval c=g |eval d=e | table b g e|outputlookup new_lookup
after your answer i changed my query to like this
|inputlookup my_lookup | eval a=b |eval c=g |eval d=e | table b g e |outputlookup append=true new_lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will add to your new lookup whatever you are getting from old lookup. Do you want to overwrite new lookup ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NO, if there are any new values coming from my search that values to be add my new lookup table. which type of command do i need to use ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case append= false, did you try that.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
