Splunk Search

I am looking for a functionality we can create csv look ups based on Month in splunk. Is this possible. Is it possible to delete data based on a certain conditions in lookup ?

priyanka0309
New Member

I need a handle a years data in splunk and looking for suggestions to split the dataset and then populate the dashboard

Tags (1)
0 Karma

493669
Super Champion
|inputlookup lookupname.csv| eval Time=strftime(now()," %b")|where month!=Time |outputlookup  lookupname.csv

Here suppose you have month field in lookup which stores Abbreviated month name (like Jan, Feb, etc.) which will match the month when it will run and exclude that month by where clause and it will store remaining months in your lookup..
schedule this search to run every first day of month.
let me know if this helps.

0 Karma

priyanka0309
New Member

Thanks ...I am just starting off with Splunk and your inputs are valuable. Also, i would want to know if we can overwrite an existing lookup (only a part of the data) with new data using saved search.

0 Karma

493669
Super Champion

You can overwrite existing csv lookup using |outputlookup command or you can append lookup using append=t stanza but you can not update part of the data in csv lookup .for updating part of data you need to use KVStore lookup

0 Karma

adonio
Ultra Champion

can you please elaborate on what you are trying to accomplish?
how do you imagine your final result to look like?
as for the header, a lookup based on a month, you can run a search periodically to populate a lookup with the outputslookup command.

hope its a start

0 Karma

priyanka0309
New Member

Hi Adonio ,

I am handling a very large dataset to develop Splunk dashboards. The dataset has data for every month for a year. I created a saved search to add data on day to day basis.(the csv has already a years data) .I wanted to know if we can create a saved search and dynamically populate a lookup like if the month = September .. data needs to be saved In September csv
Or do we have a functionality in splunk where we can delete old records from the existing lookup.

How can we handle this scenario to improve the performance of dashboard.

0 Karma

493669
Super Champion

hi @ priyanka0309,
You can create one scheduled saved search which will run every month and delete last 13th month data . to retain 12 months data.

0 Karma

priyanka0309
New Member

Thanks for the reply. Can you let me know the code for that ?

Can we write a query and output it to a csv based on a condition?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...