Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to have the Lookup command to output only the changes to a csv file?

neerajs_81
Builder
‎03-14-2022 09:00 AM

Gentlemen, 

Need some help with lookup command.  i have a lookup table (csv) which is a master list of user accounts. It looks something like this.

user_id first last email phone manager
           



I have a Scheduled search that runs daily . This search  shows only the users that been modified , updated or newly created .

How can i append the results of this search to my above csv lookup file in such a way that it does not create duplicates ?   Basically  if the user record already exits in the csv and if the search finds one of his attributes has been updated ( for example: manager ),  then the outlookup should update the existing user record  in the csv rather than creating a duplicate one.  Hope i am clear.
I read some posts about users recommending   to use the below command, but don't understand how does appending solve this use case ?  Should i be using this ?

 

| append [inputlookup <lookup_csv>]

 


The "Scheduled Search"  is configured to "append"  to the csv lookup in its properties.  

neerajs_81_0-1647273464625.png

 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 10:00 AM

Have your scheduled report "merge" the current contents of the csv file (using inputlookup as you suggest) with the new information such that it has the complete contents of the csv, then replace (rather than append) the results back to the lookup file.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎03-14-2022 10:53 AM

append can prevent losing user if user search doesn't return all existing users.  Another use of append is an intermediate step to determine whether a user is new by way of stats.  Similarly, you can use stats to find out whether a preexisting user is modified or unchanged.

However, if your goal is to update the CSV when user changes, you cannot use outputlookup to modify existing record unless you rewrite everything.  Per outputlookup,

An outputlookup search that is run with append=true might result in a situation where the lookup table or collection is only partially updated.

With append=false (default), you won't have duplicates just because the CSV already contains the user.

The following assumes that usersearch may not have all users.

 

source=mysource usersearch
| dedup user_id first last email phone manager ``` use latest ```
| append
  [ | inputlookup user_id lookup_csv
  | eval source="from_lookup" ]
| eventstats dc(source) as sourcecount by user_id
| where source=="mysource" OR isnull(sourcecount)
| table user_id first last email phone manager
| outputlookup lookup_csv

 

 

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-14-2022 10:58 AM

Thank you for the detailed information

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 10:00 AM

Have your scheduled report "merge" the current contents of the csv file (using inputlookup as you suggest) with the new information such that it has the complete contents of the csv, then replace (rather than append) the results back to the lookup file.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...