- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- How to reset the lookup file every 15 minutes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to reset the lookup file every 15 minutes?
I have multiple search queries and when it gets executed the results are stored in csv file using the command "| inputlookup append=true xyz_lookup | outputlookup xyz_lookup". But once in 15 minutes I want to reset this xyz_lookup file as I will schedule to run the mutiple query every 15 mins, if I don't reset then it will display the previous run data along with the current run data which is wrong in my scenario. If I remove the append=true from my search then it won't append all the other application data in as it will overwrite. Could you please let me know how to get the current data alone in my lookup file?
Example:
Run 1 the xyz_lookup will be
Application Status
App1 Green
App2 Amber
App3 Red
App4 Amber
App5 Red
Run 2 after minutes the xyz_lookup will have the old data appended along with new one but I need only the current run data
Application Status
App1 Red
App2 Green
App3 Amber
App4 Green
App5 Amber
App1 Green
App2 Amber
App3 Red
App4 Amber
App5 Red
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use dedup command and it will add only those rows that are new.
index=main sorucetype=abc |inputlookup append=true mycsv | dedup firstcol, secondcol | table fistcol secondcol | outputlookup mycsv
Please mind with csv lookup you won't be able to update any existing rows. You can only add new rows.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could just remove the | inputlookup append=true xyz_lookup from your search and it'll overwrite the whole lookup file with new data from your search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thank you 🙂 , I thought we may have other way to accomplish this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't remove that, as I said I'm appending the data into the lookup file xyz by running multiple queries at one time. I will run 10 queries with different index at one time so I will get each application data from each query. So at the end of one run i will have 10 applications data in the lookup file.
So when I need fresh data for next run after 15 mins for same 10 applications I need to reset the lookup file which has the older data of these 10 applications.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could schedule 11th search after your 10 searches with a dummy query to outputlookup nothing/blank row, this time without append. This will reset the lookup to nothing, so the lookup starts fresh for the next run of your 10 searches.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
