Splunk Search

How do you add search results to an existing lookup?

rajasekhar14
Path Finder

i have a table that has 30 columns and some rows,

table 1
column1 column2 ---------- column30
ww xx -------------------------- aa

expecting table will like this
column1 column2 ---------- column30

ww xx -------------------------- aa



etc...

so my question is how to add more rows to it without deleting the old lookup.

0 Karma

vishaltaneja070
Motivator

Try this:

| appendpipe [| inputlookup abc.csv ] | eval key = column1."|".column2."|".column3
| dedup key
|outputlookup abc.csv append=false

0 Karma

Vijeta
Influencer
<your query>| outputlookup append=true <yourlookupname>
0 Karma

rajasekhar14
Path Finder

thanks @vijeta its appending all results again and again. it be coming duplicates rows every time? my goal is, we have a existing table with some values(rows) and when ever i search it give the same values or new values. So if the values are same as in table it no need to add those values to existing table. if the values are new only it need to add to that lookup table.

0 Karma

Vijeta
Influencer

I need to see your query .

0 Karma

rajasekhar14
Path Finder

i using another lookup table to search the data, my query will be like this
|inputlookup my_lookup | eval a=b |eval c=g |eval d=e | table b g e|outputlookup new_lookup
after your answer i changed my query to like this
|inputlookup my_lookup | eval a=b |eval c=g |eval d=e | table b g e |outputlookup append=true new_lookup

0 Karma

Vijeta
Influencer

This will add to your new lookup whatever you are getting from old lookup. Do you want to overwrite new lookup ?

0 Karma

rajasekhar14
Path Finder

NO, if there are any new values coming from my search that values to be add my new lookup table. which type of command do i need to use ?

0 Karma

Vijeta
Influencer

In that case append= false, did you try that.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...