Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: dbquery and outputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbquery and outputlookup
Hello,
I'm running a dbquery and would like to save the results as a lookuptable.csv.
| dbquery mysearch | outputlookup lookuptable.csv
After running the search this works:
| inputlookup lookuptable.csv
But I can't find the file in the settings to adjust the permissions, delete the file or something else. What am I doing wrong?
BR
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Heinz,
When you do outputlookup the file goes to system dir in the splunk etc dir. The inputlookup sees the file in your app/lookup folder in the app context. Everything is correct what you are doing , you need some more param.
your desierd query:
| dbquery mysearch | outputlookup createinapp=true lookuptable.csv
then try the inputlookup
createinapp
Syntax: createinapp=<bool>
Description: If set to false or if there is no current application context, then create the file in the system lookups directory.
See the documentation :
http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/Outputlookup
Thanks,
L
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you the see the new outputlookup file in the lookup directory?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that's the way I check for my lookups usually. And usually they appear in the app I'm running the search...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where do you check for the file?
Manager » Lookups » Lookup table files
Choose the application under which you are running the search. lookuptable.csv with full path will be mentioned
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for your answers. I've always used the command without the createinapp param and everything appeared in the settings...
In this case I tried out createinapp=true, but unfortunately it does not solve the problem. It still doesn't appear in my settings.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
