Hi all,
I have a dashboard where users can add comments to a .csv lookup file. The comments are only related to the day that they are added. I would like to be able to clear down the .csv on a daily basis (around midnight). Is there a way that I can do this using Splunk to keep all the code in one place?
I plan to use the 'collect' command to send the contents to an index prior to removing all the entries in whatever way is possible.
I have tried using outputlookup but only succeeded in writing blank lines to the .csv, not overwriting or removing the contents.
Thanks
Have you tried using the paramter
create_empty=true
in your outputlookup command?
Skalli
Hi @skalliger , thanks for the reply. Yes, I tried this but only managed to create empty lines in the csv.
I have written this search which only returns the entries for 'today'. A work around for now.
| inputlookup comment.csv
| eval Comment=if(isnull(Comment),New_Note,Comment)
| eval Date=if(isnull(Date),Date_new,Date)
| eval tdate=strftime(now(),"%d/%m/%Y")
| rex field=Date "(?<cdate>\d\d\/\d\d\/\d\d\d\d) "
| table Date, Comment, tdate, cdate
| where tdate=cdate
| table Date, Comment
| sort -Date