Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk script to update VA report weekly using lookup file

aferns0804
Engager
‎03-18-2021 02:47 PM

I am running a search job to view Vulnerability results/data. The search runs every week Saturday evening.  

I want to dump the results into a lookup file which will run automatically every saturday and it should replaced the previous weeks  report with new updated results. (Lookup needs to be same) 

For eg 20th March 2021 lookup file should be automatically replaced by results from 27th 2021 march search.

I don't need the old report(20th march) data since it will be outdated and will consume space on my server. 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎03-18-2021 09:41 PM

Hi @aferns0804 

If your report is relatively small then go with CSV lookups and following example query would help to create  assuming the search job user having enough rights to run outputlook.

 

<your query> | fields field1, field2, field3, field4... |  outputlookup <your_saturday_report>.csv

 

You can read more about it here - About lookups - Splunk Documentation

-----------------------------------------------------

An upvote would be appreciated if it helps!

View solution in original post

Tags (2)
0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎03-24-2021 04:26 PM

Hi @aferns0804 

Please try this instead of fields command use table.

<your query> | table field1, field2, field3, field4... |  outputlookup <your_saturday_report>.csv

-----------------------------------------------------

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎03-18-2021 09:41 PM

Hi @aferns0804 

If your report is relatively small then go with CSV lookups and following example query would help to create  assuming the search job user having enough rights to run outputlook.

 

<your query> | fields field1, field2, field3, field4... |  outputlookup <your_saturday_report>.csv

 

You can read more about it here - About lookups - Splunk Documentation

-----------------------------------------------------

An upvote would be appreciated if it helps!

Tags (2)
0 Karma
Reply
Solved! Jump to solution

aferns0804
Engager
‎03-24-2021 01:48 PM

Done, thanks but it is also exporting _raw  and _time events to the outputlookup file. 

I m not sure it is doing that. I don't want _raw events in my outputlookup file

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...