Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

'Empty' a csv on a daily basis

timrich66
Communicator
‎07-08-2020 04:23 AM

Hi all,

I have a dashboard where users can add comments to a .csv lookup file.  The comments are only related to the day that they are added.  I would like to be able to clear down the .csv on a daily basis (around midnight).  Is there a way that I can do this using Splunk to keep all the code in one place?

I plan to use the 'collect' command to send the contents to an index prior to removing all the entries in whatever way is possible.

I have tried using outputlookup but only succeeded in writing blank lines to the .csv, not overwriting or removing the contents.

Thanks

0 Karma
Reply

skalliger
Motivator
‎07-08-2020 06:19 AM

Have you tried using the paramter

 

create_empty=true

 

in your outputlookup command?

 

 

Skalli

Reply

timrich66
Communicator
‎07-08-2020 06:33 AM

Hi @skalliger , thanks for the reply.  Yes, I tried this but only managed to create empty lines in the csv.

I have written this search which only returns the entries for 'today'.  A work around for now.

| inputlookup comment.csv
| eval Comment=if(isnull(Comment),New_Note,Comment)
| eval Date=if(isnull(Date),Date_new,Date)
| eval tdate=strftime(now(),"%d/%m/%Y")
| rex field=Date "(?<cdate>\d\d\/\d\d\/\d\d\d\d) "
| table Date, Comment, tdate, cdate
| where tdate=cdate
| table Date, Comment
| sort -Date

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...