Splunk Search

What's the best way to insert a single value into a lookup table without editing a csv

grittonc
Contributor

Hi Splunkers,

To insert a single new value into a lookup table, I've been running something like this:

index=_audit earliest=-10s | eval myfield="foo"
| dedup myfield
| table myfield
| outputlookup append=true mylookup

But it seems clunky. Any other recommendations? I thought of first running inputlookup mylookup, then exporting, then updating the csv, then reuploading. Is there a better way to do this?

I should add that the myfield and foo values have nothing to do with the _audit index. I'm just looking for a way to generate an event so I can eval the field that I need.

Tags (2)
0 Karma
1 Solution

FrankVl
Ultra Champion

If you want to generate some entry that is not based on a search result, just use the makeresults command.

That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.

If you're doing this manually, you could also consider installing the lookup editor app (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.

View solution in original post

mayurr98
Super Champion

if you looking for how to make fake data in Splunk using SPL. Then have a look at this link

https://gist.github.com/bshuler/5d0d75ac43ed8f57809fed6b60c4bfca

let me know if this helps!

0 Karma

FrankVl
Ultra Champion

If you want to generate some entry that is not based on a search result, just use the makeresults command.

That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.

If you're doing this manually, you could also consider installing the lookup editor app (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.

View solution in original post

somesoni2
Revered Legend

You can do like this (assuming myfield is the primary key in the lookup)

index=_audit earliest=-10s | eval myfield="foo" | dedup myfield | table myfield 
| inputlookup mylookup append=t 
| dedup myfield | outputlookup mylookup

Above will add new entries from _audit query OR update (replace) existing entries.

0 Karma

grittonc
Contributor

Thanks, but I was trying not to use any index in generating the data.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!