Hello,
I'm running a dbquery and would like to save the results as a lookuptable.csv.
| dbquery mysearch | outputlookup lookuptable.csv
After running the search this works:
| inputlookup lookuptable.csv
But I can't find the file in the settings to adjust the permissions, delete the file or something else. What am I doing wrong?
BR
Heinz
Hello Heinz,
When you do outputlookup the file goes to system dir in the splunk etc dir. The inputlookup sees the file in your app/lookup folder in the app context. Everything is correct what you are doing , you need some more param.
your desierd query:
| dbquery mysearch | outputlookup createinapp=true lookuptable.csv
then try the inputlookup
createinapp
Syntax: createinapp=<bool>
Description: If set to false or if there is no current application context, then create the file in the system lookups directory.
See the documentation :
http://docs.splunk.com/Documentation/Splunk/6.0.3/SearchReference/Outputlookup
Thanks,
L
do you the see the new outputlookup file in the lookup directory?
Yes, that's the way I check for my lookups usually. And usually they appear in the app I'm running the search...
where do you check for the file?
Manager » Lookups » Lookup table files
Choose the application under which you are running the search. lookuptable.csv with full path will be mentioned
Hi,
thanks for your answers. I've always used the command without the createinapp param and everything appeared in the settings...
In this case I tried out createinapp=true, but unfortunately it does not solve the problem. It still doesn't appear in my settings.