Re: dbquery and outputlookup

HeinzWaescher · ‎06-04-2014

Hello,

I'm running a dbquery and would like to save the results as a lookuptable.csv.

| dbquery mysearch | outputlookup lookuptable.csv

After running the search this works:

| inputlookup lookuptable.csv

But I can't find the file in the settings to adjust the permissions, delete the file or something else. What am I doing wrong?

BR

Heinz

linu1988 · ‎06-04-2014

Hello Heinz,
When you do outputlookup the file goes to system dir in the splunk etc dir. The inputlookup sees the file in your app/lookup folder in the app context. Everything is correct what you are doing , you need some more param.

your desierd query:

| dbquery mysearch | outputlookup createinapp=true lookuptable.csv

then try the inputlookup

createinapp
Syntax: createinapp=<bool>
Description: If set to false or if there is no current application context, then create the file in the system lookups directory.

See the documentation :
http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/Outputlookup

Thanks,
L

linu1988 · ‎06-04-2014

do you the see the new outputlookup file in the lookup directory?

HeinzWaescher · ‎06-04-2014

Yes, that's the way I check for my lookups usually. And usually they appear in the app I'm running the search...

linu1988 · ‎06-04-2014

where do you check for the file?

Manager » Lookups » Lookup table files

Choose the application under which you are running the search. lookuptable.csv with full path will be mentioned

HeinzWaescher · ‎06-04-2014

Hi,

thanks for your answers. I've always used the command without the createinapp param and everything appeared in the settings...

In this case I tried out createinapp=true, but unfortunately it does not solve the problem. It still doesn't appear in my settings.

dbquery and outputlookup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!