Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add to a lookup csv without having to delet...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log_wrangler
Builder
07-05-2018
08:16 AM
I have a lookup table file csv. Every now and then I have to add a couple of domains to it along with a hard coded "1" (which I use as a flag).
I have a copy of the csv on my desktop, where I manually edit it, and then delete the old version in splunk, and create a new lookup, using the edited csv version.
Is there a more efficient way to update it?
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
07-05-2018
08:21 AM
There are couple of alternatives, than having to re upload. If the number of entries are less.
- Install this app and edit the lookup in Splunk itself https://splunkbase.splunk.com/app/1724/
- Run a search to update/overwrite using outputlookup
| inputlookup mylookup.csv | append [|makeresults | eval domain="abc" | eval flag="1" | table domain flag] | outputlookup mylookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-05-2018
09:16 AM
You can install the Lookup Editor app, or you can just fix it in the SPL with something like this:
Your Search For New/Replacement Data here
| appendpipe [|inputlookup YourLookup.csv]
| dedup YourKeyFieldHere
| outputlookup YourLookup.csv
The dedup will cause any new data to supersede any existing data and then the merged set is written back out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log_wrangler
Builder
07-06-2018
03:12 PM
Thank you for your reply, I will keep this in mind, however I have to use the above for my situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
07-05-2018
08:21 AM
There are couple of alternatives, than having to re upload. If the number of entries are less.
- Install this app and edit the lookup in Splunk itself https://splunkbase.splunk.com/app/1724/
- Run a search to update/overwrite using outputlookup
| inputlookup mylookup.csv | append [|makeresults | eval domain="abc" | eval flag="1" | table domain flag] | outputlookup mylookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log_wrangler
Builder
07-06-2018
03:11 PM
your code works great, I could not get it to work because of a 1D10T error, typo, Thank you!
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Announcing the General Availability of Splunk Enterprise Security 8.1!
We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
