Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to populate a lookup file with eval?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to update a lookup file with, for an example 10 new information, through Splunk Search only.
The table consists of 4 columns as below.
At the moment I am using the below search:
| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
| eval comment="Update_Lookup_2", date="13/04/2019", user="User 2", text="Hello World 2"
| eval comment="Update_Lookup_3", date="13/04/2019", user="User 3", text="Hello World 3"
| eval comment="Update_Lookup_4", date="13/04/2019", user="User 4", text="Hello World 4"
| eval comment="Update_Lookup_5", date="13/04/2019", user="User 5", text="Hello World 5"
| eval comment="Update_Lookup_6", date="13/04/2019", user="User 6", text="Hello World 6"
| eval comment="Update_Lookup_7", date="13/04/2019", user="User 7", text="Hello World 7"
| eval comment="Update_Lookup_8", date="13/04/2019", user="User 8", text="Hello World 8"
| eval comment="Update_Lookup_9", date="13/04/2019", user="User 9", text="Hello World 9"
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text
| inputlookup append=true lookupfile_original.csv
| outputlookup updated_lookupfile.csv append=t
However, when I run the search, the updated_lookupfile.csv only reflects the 10th result (the eval results 1-9 is not added)
Any suggestions on how to do this via search? Thanks in advance
Edit: assume that fields comment and text contains random characters and not incremental
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I run your base search
| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
...
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text
then it is generating only one event:
comment date user text
Update_Lookup_10 13/04/2019 User 10 Hello World 10
So you should improve your base search. The inputlookup and outputlookup commands look fine though.
Try this instead:
| makeresults count=1
| eval _raw="comment=\"Update_Lookup_1\", date=\"13/04/2019\", user=\"User 1\", text=\"Hello World 1\"|comment=\"Update_Lookup_2\", date=\"13/04/2019\", user=\"User 2\", text=\"Hello World 2\"|comment=\"Update_Lookup_3\", date=\"13/04/2019\", user=\"User 3\", text=\"Hello World 3\"|comment=\"Update_Lookup_4\", date=\"13/04/2019\", user=\"User 4\", text=\"Hello World 4\"|comment=\"Update_Lookup_5\", date=\"13/04/2019\", user=\"User 5\", text=\"Hello World 5\"|comment=\"Update_Lookup_6\", date=\"13/04/2019\", user=\"User 6\", text=\"Hello World 6\"|comment=\"Update_Lookup_7\", date=\"13/04/2019\", user=\"User 7\", text=\"Hello World 7\"|comment=\"Update_Lookup_8\", date=\"13/04/2019\", user=\"User 8\", text=\"Hello World 8\"|comment=\"Update_Lookup_9\", date=\"13/04/2019\", user=\"User 9\", text=\"Hello World 9\"|comment=\"Update_Lookup_10\", date=\"13/04/2019\", user=\"User 10\", text=\"Hello World 10\""
| eval splits=split(_raw, "|") | mvexpand splits | eval _raw=splits | kv
| table comment,date, user, text
| ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I run your base search
| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
...
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text
then it is generating only one event:
comment date user text
Update_Lookup_10 13/04/2019 User 10 Hello World 10
So you should improve your base search. The inputlookup and outputlookup commands look fine though.
Try this instead:
| makeresults count=1
| eval _raw="comment=\"Update_Lookup_1\", date=\"13/04/2019\", user=\"User 1\", text=\"Hello World 1\"|comment=\"Update_Lookup_2\", date=\"13/04/2019\", user=\"User 2\", text=\"Hello World 2\"|comment=\"Update_Lookup_3\", date=\"13/04/2019\", user=\"User 3\", text=\"Hello World 3\"|comment=\"Update_Lookup_4\", date=\"13/04/2019\", user=\"User 4\", text=\"Hello World 4\"|comment=\"Update_Lookup_5\", date=\"13/04/2019\", user=\"User 5\", text=\"Hello World 5\"|comment=\"Update_Lookup_6\", date=\"13/04/2019\", user=\"User 6\", text=\"Hello World 6\"|comment=\"Update_Lookup_7\", date=\"13/04/2019\", user=\"User 7\", text=\"Hello World 7\"|comment=\"Update_Lookup_8\", date=\"13/04/2019\", user=\"User 8\", text=\"Hello World 8\"|comment=\"Update_Lookup_9\", date=\"13/04/2019\", user=\"User 9\", text=\"Hello World 9\"|comment=\"Update_Lookup_10\", date=\"13/04/2019\", user=\"User 10\", text=\"Hello World 10\""
| eval splits=split(_raw, "|") | mvexpand splits | eval _raw=splits | kv
| table comment,date, user, text
| ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi whrg,
Thank you very much for helping out! I have amended my original search as per your answer and it worked perfectly!
Kind regards,
V
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
