Hi Splunkers,
To insert a single new value into a lookup table, I've been running something like this:
index=_audit earliest=-10s | eval myfield="foo"
| dedup myfield
| table myfield
| outputlookup append=true mylookup
But it seems clunky. Any other recommendations? I thought of first running inputlookup mylookup
, then exporting, then updating the csv, then reuploading. Is there a better way to do this?
I should add that the myfield and foo values have nothing to do with the _audit index. I'm just looking for a way to generate an event so I can eval the field that I need.
If you want to generate some entry that is not based on a search result, just use the makeresults command.
That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.
If you're doing this manually, you could also consider installing the lookup editor app (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.
if you looking for how to make fake data in Splunk using SPL. Then have a look at this link
https://gist.github.com/bshuler/5d0d75ac43ed8f57809fed6b60c4bfca
let me know if this helps!
If you want to generate some entry that is not based on a search result, just use the makeresults command.
That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.
If you're doing this manually, you could also consider installing the lookup editor app (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.
You can do like this (assuming myfield is the primary key in the lookup)
index=_audit earliest=-10s | eval myfield="foo" | dedup myfield | table myfield
| inputlookup mylookup append=t
| dedup myfield | outputlookup mylookup
Above will add new entries from _audit query OR update (replace) existing entries.
Thanks, but I was trying not to use any index in generating the data.