I need a handle a years data in splunk and looking for suggestions to split the dataset and then populate the dashboard
|inputlookup lookupname.csv| eval Time=strftime(now()," %b")|where month!=Time |outputlookup lookupname.csv
Here suppose you have month field in lookup which stores Abbreviated month name (like Jan, Feb, etc.) which will match the month when it will run and exclude that month by where clause and it will store remaining months in your lookup..
schedule this search to run every first day of month.
let me know if this helps.
Thanks ...I am just starting off with Splunk and your inputs are valuable. Also, i would want to know if we can overwrite an existing lookup (only a part of the data) with new data using saved search.
You can overwrite existing csv lookup using |outputlookup
command or you can append lookup using append=t
stanza but you can not update part of the data in csv lookup .for updating part of data you need to use KVStore lookup
can you please elaborate on what you are trying to accomplish?
how do you imagine your final result to look like?
as for the header, a lookup based on a month, you can run a search periodically to populate a lookup with the outputslookup command.
hope its a start
Hi Adonio ,
I am handling a very large dataset to develop Splunk dashboards. The dataset has data for every month for a year. I created a saved search to add data on day to day basis.(the csv has already a years data) .I wanted to know if we can create a saved search and dynamically populate a lookup like if the month = September .. data needs to be saved In September csv
Or do we have a functionality in splunk where we can delete old records from the existing lookup.
How can we handle this scenario to improve the performance of dashboard.
hi @ priyanka0309,
You can create one scheduled saved search which will run every month and delete last 13th month data . to retain 12 months data.
Thanks for the reply. Can you let me know the code for that ?
Can we write a query and output it to a csv based on a condition?