Solved: Re: Specify Fields for Outputlookup or Outputcsv

mattcg · ‎08-12-2010

How can I get outputlookup or outputcsv to only include certain fields in the resulting lookup file?

An example explains it better:

SEARCH | DEDUP FieldName1 | FIELDS FieldName1, FieldName2 | OUTPUTLOOKUP lookupFile.csv

I want the resulting lookup file to be formatted with just an entry of "FieldValue1, FieldValue2" per line per result. I do not want the full raw logs in the lookup as it seems to be doing.

ziegfried · ‎08-12-2010

<search> | dedup FieldName1 | table FieldName1 FieldName2 | outputlookup mylookup

View solution in original post

ziegfried · ‎08-12-2010

<search> | dedup FieldName1 | table FieldName1 FieldName2 | outputlookup mylookup

nick405060 · ‎01-03-2019

I downvoted this post because this isn't an elegant solution. I don't want to table my fields before I output because there are other fields that I don't want to output but that I want to keep to do other processing with.

n0vsec · ‎09-28-2020

Did you ever find an answer to this? I wanting to do a similar search. I only want to append specific fields to a lookup table, while keeping the rest of the fields for alert automation.

Specify Fields for Outputlookup or Outputcsv

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!