To insert a single new value into a lookup table, I've been running something like this:
index=_audit earliest=-10s | eval myfield="foo"
| dedup myfield
| table myfield
| outputlookup append=true mylookup
But it seems clunky. Any other recommendations? I thought of first running
inputlookup mylookup, then exporting, then updating the csv, then reuploading. Is there a better way to do this?
I should add that the myfield and foo values have nothing to do with the _audit index. I'm just looking for a way to generate an event so I can eval the field that I need.
You can do like this (assuming myfield is the primary key in the lookup)
index=_audit earliest=-10s | eval myfield="foo" | dedup myfield | table myfield | inputlookup mylookup append=t | dedup myfield | outputlookup mylookup
Above will add new entries from _audit query OR update (replace) existing entries.
Thanks, but I was trying not to use any index in generating the data.
If you want to generate some entry that is not based on a search result, just use the makeresults command.
That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.
If you're doing this manually, you could also consider installing the lookup editor app (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.