I'm running a dbquery and would like to save the results as a lookuptable.csv.
| dbquery mysearch | outputlookup lookuptable.csv
After running the search this works:
| inputlookup lookuptable.csv
But I can't find the file in the settings to adjust the permissions, delete the file or something else. What am I doing wrong?
When you do outputlookup the file goes to system dir in the splunk etc dir. The inputlookup sees the file in your app/lookup folder in the app context. Everything is correct what you are doing , you need some more param.
your desierd query:
| dbquery mysearch | outputlookup createinapp=true lookuptable.csv
then try the inputlookup
createinapp Syntax: createinapp=<bool> Description: If set to false or if there is no current application context, then create the file in the system lookups directory.
See the documentation :
thanks for your answers. I've always used the command without the createinapp param and everything appeared in the settings...
In this case I tried out createinapp=true, but unfortunately it does not solve the problem. It still doesn't appear in my settings.