Splunk Search

Updating a lookup table with new row ?

Path Finder

Hello All,

I have an existing lookup file newlookupfile.csv. I'm trying to update the lookupfile with new row. I didn't see any errors in search but I do not see the lookupfile updated. Can anyone please help. Here is the query I'm using

| inputlookup newlookupfile.csv | append [|stats count |eval Active=1 | eval Order=2 |eval GroupName="Homepage"
|eval LastUpdated=1572541638|eval Name="James" |eval ReportName="Temp" |eval Order=2 |eval tranID=1001
|eval tranName="NewTransaction"] | stats count by Active Order GroupName LastUpdated Name ReportName Order tranID tranName
|outputlookup newlookupfile.csv

0 Karma

Motivator

If you're trying to do this through SPL, then use the following

|makeresults
| eval count=0
|eval Active=1 
| eval Order=2 
|eval GroupName="Homepage"
|eval LastUpdated=1572541638
|eval Name="James" 
|eval ReportName="Temp" 
|eval Order=2 
|eval tranID=1001
|eval tranName="NewTransaction"
| fields - _time
|outputlookup newlookupfile.csv append=true

There is also a Splunk app called Lookup editor, which let's you edit lookups easily - https://splunkbase.splunk.com/app/1724/

Hope this helps.
Cheers

0 Karma

Ultra Champion
| inputlookup newlookupfile.csv 
| append [|stats count 
|eval Active=1 
|eval Order=2 
|eval GroupName="Homepage"
|eval LastUpdated=1572541638
|eval Name="James" 
|eval ReportName="Temp" 
|eval tranID=1001
|eval tranName="NewTransaction"] 
| stats count by Active Order GroupName LastUpdated Name ReportName tranID tranName
|outputlookup newlookupfile.csv append=true
  1. There are identical field names Order.
  2. add append=true

The above has been corrected. How about this?

outputlookup

Motivator

Upvote. 🙂

0 Karma

Ultra Champion

thanks @ajunpkishore5

0 Karma

Builder

I would suggest checking out the subsearch to make sure the results are actually there. This should work if you have the syntax correct and the subsearch is returning anything. You can also experiment by not pulling in the csv and just using the | makeresults count=1 command to generate test data before you append on the other information.

Another option you can try is to use the append=t parameteron your search so you don't have to do a subsearch. This is a better option performance wise as subsearches are not particularly performant. Basically, format the search to be what you want (has the right columns) and then just use the | outputlookup newlookupfile.csv append=t command to add a new row.

Let me know if this helps!

Motivator

upvoted !!

0 Karma