How to add new entries in lookup?

bosseres · ‎08-03-2023

Hello, everyone!

I have search, which ends in such way

...

| table id, name
| outputlookup my_lookup.csv

so my search get such results

Now, I want to record only NEW id's from search to lookup, which weren't there

Is it possible to make without reworking search?

ITWhisperer · ‎08-03-2023

append=t

You should remove any results which are already in your lookup.

bosseres · ‎08-03-2023

append true makes dublicates, is it possible to avoid it?

maybe any other solution?

ITWhisperer · ‎08-03-2023

Yes, as I said, remove the duplicates before the outputlookup.

It does depend on how you generate the events you want to add to the lookup.

gcusello · ‎08-03-2023

you have two choices:

For the second choice, please try this:

<your_search> NOT [ | inputlookup my_lookup.csv | fields name ]
| table id, name
| outputlookup my_lookup.csv append=true

Ciao.

Giuseppe

bosseres · ‎08-03-2023

Ye, I thought about it, but...

first one choice is not suit to me, because I need to make big time range of search to collect of actual id's.

about second one I thought, but i am afraid of some id's can be changed, so better to recollect them

Are you a member of the Splunk Community?