I am running a search job to view Vulnerability results/data. The search runs every week Saturday evening.
I want to dump the results into a lookup file which will run automatically every saturday and it should replaced the previous weeks report with new updated results. (Lookup needs to be same)
For eg 20th March 2021 lookup file should be automatically replaced by results from 27th 2021 march search.
I don't need the old report(20th march) data since it will be outdated and will consume space on my server.
Hi @aferns0804
If your report is relatively small then go with CSV lookups and following example query would help to create assuming the search job user having enough rights to run outputlook.
<your query> | fields field1, field2, field3, field4... | outputlookup <your_saturday_report>.csv
You can read more about it here - About lookups - Splunk Documentation
-----------------------------------------------------
An upvote would be appreciated if it helps!
Hi @aferns0804
Please try this instead of fields command use table.
<your query> | table field1, field2, field3, field4... | outputlookup <your_saturday_report>.csv
-----------------------------------------------------
An upvote would be appreciated if it helps!
Hi @aferns0804
If your report is relatively small then go with CSV lookups and following example query would help to create assuming the search job user having enough rights to run outputlook.
<your query> | fields field1, field2, field3, field4... | outputlookup <your_saturday_report>.csv
You can read more about it here - About lookups - Splunk Documentation
-----------------------------------------------------
An upvote would be appreciated if it helps!
Done, thanks but it is also exporting _raw and _time events to the outputlookup file.
I m not sure it is doing that. I don't want _raw events in my outputlookup file