Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Schedule search with updating value in lookup

k31453
Explorer
‎05-11-2022 09:14 PM

Hi, I have following data which I use search to find from last 30 days and save it into lookup: 

CustomersOld Acquired ProductNew Acquired Product
JackProduct 1Product 2
Alan Product 4Product 5
ChrisProduct 3Product 2
CebProduct 5Product 3

 

Now, I know every day or every few days each customers products are changing as they are acquiring new products. Here is what I want to do:

  • Create saved search 
  • Modifying existing lookup to ensure each customer key value update accordingly:

For e.g. next day customer Jack and chris acquired new product. So saved search schedule will pick up the change and update the lookup as follow:

CustomersOld Acquired ProductNew Acquired Product
JackProduct 2Product 4
Alan Product 4Product 5
ChrisProduct 3Product 2
CebProduct 3Product 2


i know i have to use outputlookup and lookup command but i have fear it is going to overwrite it. 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2022 09:33 PM

Yes, outputlookup will update the store - you possibly want to merge the current store with the results from the search which is finding the updates, then output the whole store

| inputlookup store.csv
| append
  [ search for new state ]
| outputlookup store.csv append=f
0 Karma
Reply

k31453
Explorer
‎05-11-2022 10:06 PM

However it will have duplicate values which I would like to avoid. Otherwise lookup file will be huge.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-11-2022 10:16 PM 
| stats latest(oldproduct) as oldproduct latest(newproduct) as newproduct by customerid

This way you only keep a single event for each customerid (assuming you are using append=f on the outputlookup)

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...