Solved: How to populate a lookup file with eval?

vbantug · ‎04-12-2019

Hi,

I would like to update a lookup file with, for an example 10 new information, through Splunk Search only.
The table consists of 4 columns as below.

At the moment I am using the below search:

| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
| eval comment="Update_Lookup_2", date="13/04/2019", user="User 2", text="Hello World 2"
| eval comment="Update_Lookup_3", date="13/04/2019", user="User 3", text="Hello World 3"
| eval comment="Update_Lookup_4", date="13/04/2019", user="User 4", text="Hello World 4"
| eval comment="Update_Lookup_5", date="13/04/2019", user="User 5", text="Hello World 5"
| eval comment="Update_Lookup_6", date="13/04/2019", user="User 6", text="Hello World 6"
| eval comment="Update_Lookup_7", date="13/04/2019", user="User 7", text="Hello World 7"
| eval comment="Update_Lookup_8", date="13/04/2019", user="User 8", text="Hello World 8"
| eval comment="Update_Lookup_9", date="13/04/2019", user="User 9", text="Hello World 9"
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text
| inputlookup append=true lookupfile_original.csv
| outputlookup updated_lookupfile.csv append=t

However, when I run the search, the updated_lookupfile.csv only reflects the 10th result (the eval results 1-9 is not added)

Any suggestions on how to do this via search? Thanks in advance

Edit: assume that fields comment and text contains random characters and not incremental

whrg · ‎04-13-2019

When I run your base search

| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
...
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text

then it is generating only one event:

comment            date          user       text
Update_Lookup_10   13/04/2019   User 10 Hello World 10

So you should improve your base search. The inputlookup and outputlookup commands look fine though.

Try this instead:

| makeresults count=1
| eval _raw="comment=\"Update_Lookup_1\", date=\"13/04/2019\", user=\"User 1\", text=\"Hello World 1\"|comment=\"Update_Lookup_2\", date=\"13/04/2019\", user=\"User 2\", text=\"Hello World 2\"|comment=\"Update_Lookup_3\", date=\"13/04/2019\", user=\"User 3\", text=\"Hello World 3\"|comment=\"Update_Lookup_4\", date=\"13/04/2019\", user=\"User 4\", text=\"Hello World 4\"|comment=\"Update_Lookup_5\", date=\"13/04/2019\", user=\"User 5\", text=\"Hello World 5\"|comment=\"Update_Lookup_6\", date=\"13/04/2019\", user=\"User 6\", text=\"Hello World 6\"|comment=\"Update_Lookup_7\", date=\"13/04/2019\", user=\"User 7\", text=\"Hello World 7\"|comment=\"Update_Lookup_8\", date=\"13/04/2019\", user=\"User 8\", text=\"Hello World 8\"|comment=\"Update_Lookup_9\", date=\"13/04/2019\", user=\"User 9\", text=\"Hello World 9\"|comment=\"Update_Lookup_10\", date=\"13/04/2019\", user=\"User 10\", text=\"Hello World 10\""
| eval splits=split(_raw, "|") | mvexpand splits | eval _raw=splits | kv
| table comment,date, user, text
| ...

View solution in original post

whrg · ‎04-13-2019

When I run your base search

| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
...
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text

then it is generating only one event:

comment            date          user       text
Update_Lookup_10   13/04/2019   User 10 Hello World 10

So you should improve your base search. The inputlookup and outputlookup commands look fine though.

Try this instead:

| makeresults count=1
| eval _raw="comment=\"Update_Lookup_1\", date=\"13/04/2019\", user=\"User 1\", text=\"Hello World 1\"|comment=\"Update_Lookup_2\", date=\"13/04/2019\", user=\"User 2\", text=\"Hello World 2\"|comment=\"Update_Lookup_3\", date=\"13/04/2019\", user=\"User 3\", text=\"Hello World 3\"|comment=\"Update_Lookup_4\", date=\"13/04/2019\", user=\"User 4\", text=\"Hello World 4\"|comment=\"Update_Lookup_5\", date=\"13/04/2019\", user=\"User 5\", text=\"Hello World 5\"|comment=\"Update_Lookup_6\", date=\"13/04/2019\", user=\"User 6\", text=\"Hello World 6\"|comment=\"Update_Lookup_7\", date=\"13/04/2019\", user=\"User 7\", text=\"Hello World 7\"|comment=\"Update_Lookup_8\", date=\"13/04/2019\", user=\"User 8\", text=\"Hello World 8\"|comment=\"Update_Lookup_9\", date=\"13/04/2019\", user=\"User 9\", text=\"Hello World 9\"|comment=\"Update_Lookup_10\", date=\"13/04/2019\", user=\"User 10\", text=\"Hello World 10\""
| eval splits=split(_raw, "|") | mvexpand splits | eval _raw=splits | kv
| table comment,date, user, text
| ...

vbantug · ‎04-13-2019

Hi whrg,

Thank you very much for helping out! I have amended my original search as per your answer and it worked perfectly!

Kind regards,
V

How to populate a lookup file with eval?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...