How to append /write only new results to outputloo...

Ashwini008 · ‎03-05-2021

Hi

I want to write my results into outputlookup from saved search. but only when new results are there it should append it to mu lookup.which i am failing to do so

query| outputlookup append=true output.csv. This is writing multiple copies of same data into lookup.

quyery|[|inputlookup output.csv |dedup S] |outputlookup output.csv append=true. This isnt working

Any suggestions

Ashwini008 · ‎03-05-2021

UPDATE :

This worked for me

ITWhisperer · ‎03-05-2021

Try append=false

manjunathmeti · ‎03-05-2021

If field S in output.csv is part of index and sourcetype then you can try below query:

index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S] | outputlookup output.csv append=true

Ashwini008 · ‎03-05-2021

@ITWhisperer Tried,but still multiple values.

@manjunathmeti My output.csv is empty. So have to write my index data to output.csv.Query is failing at this point,it shows zero results

index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S]

dm2 · ‎02-26-2024

Hi, I have the same issue but its not working for me..

I first created the lookup and save the search as a report, and then i need to edit my query to append ONLY new values. The current query does not push values at all.

index="rapid7_threat_intelligence" type="Domain"

|table _time, source, type, value

|outputlookup DOMAIN_IOC_ACTIVE.csv append=true

| append [ | inputlookup append=true DOMAIN_IOC_ACTIVE.csv]

| dedup value

How to append /write only new results to outputlookup file

administration

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?