Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to read and write data to CSV lookup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I must write and read data from lookup files.
Example:
cn,srcip,destip,owner
"Canada","207.188.75.136","192.1.104.10","user1"
"USA","62.249.72.118","192.168.1.11","user2"
and I tried to read data using | lookup file cn AS cn | table cn`but it did not work.| lookup file cn OUTPUT cn`.
and this too
What should I do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all you want to do is read the contents of the lookup try the inputlookup command.
For example,
|inputlookup file.csv
will list the entire contents of the lookup. You can search for a specific entry in the lookup using:
|inputlookup file.csv | search fieldname=whatever
To perform a lookup against the csv during a search would use the lookup command, like:
[main search] | lookup file.csv fieldname OUTPUT otherfieldnames|...
To write to a lookup you would use outputlookup.
For example:
|inputlookup file.csv|eval cn=if(cn=="something","something else",cn)|outputlookup file.csv
Will perform the lookup, and will change an entry in the field cn if it contains a specific value, and will then overwrite the original lookup (it is always advisable to test the results before performing this overwrite as errors can be embarrassing to fix).
Hope this helps,
Sheamus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all you want to do is read the contents of the lookup try the inputlookup command.
For example,
|inputlookup file.csv
will list the entire contents of the lookup. You can search for a specific entry in the lookup using:
|inputlookup file.csv | search fieldname=whatever
To perform a lookup against the csv during a search would use the lookup command, like:
[main search] | lookup file.csv fieldname OUTPUT otherfieldnames|...
To write to a lookup you would use outputlookup.
For example:
|inputlookup file.csv|eval cn=if(cn=="something","something else",cn)|outputlookup file.csv
Will perform the lookup, and will change an entry in the field cn if it contains a specific value, and will then overwrite the original lookup (it is always advisable to test the results before performing this overwrite as errors can be embarrassing to fix).
Hope this helps,
Sheamus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did it... [main search] | lookup file.csv fieldname OUTPUT otherfieldnames|... ... not worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What specifically are you trying to do with the lookup? Can you give an example?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
