Solved: Re: Is it possible to use outputlookup to append r...

jambajuice · ‎01-12-2011

I want to create a single lookup table based on the results of three different searches. I've tried using subsearches to accomplish this, but I always get errors saying the search is too big.

Or is the only way to do this to create one lookup table for each search and then run another search that makes lookups to each of the three tables and then writes the output to another lookup table?

Thx.

Craig

araitz · ‎01-12-2011

Yup, I just blogged on a very similar topic:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

Essentially, you need to get the set of results that you want to append via search, use inputlookup to input the current contents of the lookup, then use outputlookup to write the lookup.

View solution in original post

ftk · ‎02-10-2011

There is another example of this right here on Answers: http://answers.splunk.com/questions/3982/correlate-and-tag-splunk-events-with-change-control-tickets

araitz · ‎01-12-2011

Yup, I just blogged on a very similar topic:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

Essentially, you need to get the set of results that you want to append via search, use inputlookup to input the current contents of the lookup, then use outputlookup to write the lookup.

Is it possible to use outputlookup to append results to a lookup table?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!