Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add to a lookup csv without having to delet...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log_wrangler
Builder
07-05-2018
08:16 AM
I have a lookup table file csv. Every now and then I have to add a couple of domains to it along with a hard coded "1" (which I use as a flag).
I have a copy of the csv on my desktop, where I manually edit it, and then delete the old version in splunk, and create a new lookup, using the edited csv version.
Is there a more efficient way to update it?
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
07-05-2018
08:21 AM
There are couple of alternatives, than having to re upload. If the number of entries are less.
- Install this app and edit the lookup in Splunk itself https://splunkbase.splunk.com/app/1724/
- Run a search to update/overwrite using outputlookup
| inputlookup mylookup.csv | append [|makeresults | eval domain="abc" | eval flag="1" | table domain flag] | outputlookup mylookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-05-2018
09:16 AM
You can install the Lookup Editor app, or you can just fix it in the SPL with something like this:
Your Search For New/Replacement Data here
| appendpipe [|inputlookup YourLookup.csv]
| dedup YourKeyFieldHere
| outputlookup YourLookup.csv
The dedup will cause any new data to supersede any existing data and then the merged set is written back out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log_wrangler
Builder
07-06-2018
03:12 PM
Thank you for your reply, I will keep this in mind, however I have to use the above for my situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
07-05-2018
08:21 AM
There are couple of alternatives, than having to re upload. If the number of entries are less.
- Install this app and edit the lookup in Splunk itself https://splunkbase.splunk.com/app/1724/
- Run a search to update/overwrite using outputlookup
| inputlookup mylookup.csv | append [|makeresults | eval domain="abc" | eval flag="1" | table domain flag] | outputlookup mylookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Log_wrangler
Builder
07-06-2018
03:11 PM
your code works great, I could not get it to work because of a 1D10T error, typo, Thank you!
Get Updates on the Splunk Community!
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
