Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

output lookup to /app/lookups

himynamesdave
Contributor
‎02-16-2017 06:04 AM

I have a saved search that generates a table of users each day:

search "my users" | table username, id

I want to turn this search into a lookup file (users.csv) in my app on a daily basis. Each time the search runs it will overwrite data in lookup containing only results from latest search.

I know outputcsv can create a lookup file, but it there anyway to set the destination to my apps lookup directory?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-16-2017 06:25 AM

Are you confusing outlputlookup with outputcsv?
The former will use your transforms.conf and write to your apps ./lookups/users.csv
The command for which would be:

search "my users" | table username, id | outputlookup users

where users is the name of your lookup table definition.

outputcsv on the other hand will write the file to $SPLUNK_HOME/var/run/splunk

 search "my users" | table username, id | outputcsv users

output would be $SPLUNK_HOME/var/run/splunk/users.csv

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-16-2017 06:25 AM

Are you confusing outlputlookup with outputcsv?
The former will use your transforms.conf and write to your apps ./lookups/users.csv
The command for which would be:

search "my users" | table username, id | outputlookup users

where users is the name of your lookup table definition.

outputcsv on the other hand will write the file to $SPLUNK_HOME/var/run/splunk

 search "my users" | table username, id | outputcsv users

output would be $SPLUNK_HOME/var/run/splunk/users.csv

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

himynamesdave
Contributor
‎02-22-2017 02:37 AM

Yes. Looking back this is a silly question. I was confusing every command with OUTPUT 🙂 It was a long day!

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-16-2017 06:17 AM

Yes, the outputlookup command creates the csv file in the app directory by default:

search "my users" | table username, id | outputlookup users.csv
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...