Splunk Search
Highlighted

Specify Fields for Outputlookup or Outputcsv

Explorer

How can I get outputlookup or outputcsv to only include certain fields in the resulting lookup file?

An example explains it better:

SEARCH | DEDUP FieldName1 | FIELDS FieldName1, FieldName2 | OUTPUTLOOKUP lookupFile.csv

I want the resulting lookup file to be formatted with just an entry of "FieldValue1, FieldValue2" per line per result. I do not want the full raw logs in the lookup as it seems to be doing.

Highlighted

Re: Specify Fields for Outputlookup or Outputcsv

Influencer
<search> | dedup FieldName1 | table FieldName1 FieldName2 | outputlookup mylookup

View solution in original post

Highlighted

Re: Specify Fields for Outputlookup or Outputcsv

Motivator

I downvoted this post because this isn't an elegant solution. I don't want to table my fields before I output because there are other fields that I don't want to output but that I want to keep to do other processing with.