Splunk Search

Append Custom Rows to Lookup Table

pepper_seattle
Path Finder

I have a lookup table which was created manually in excel and then ported into Splunk as a lookup table via "Add New" lookup files. As I cannot get the results for the lookup by querying in Splunk (information being brought in from elsewhere that isn't logged) I am having trouble figuring out how to add rows as needed.

Question:
Is there a way to add a row to a lookup table when you can't query for the table results outside the lookup itself?

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

You can use the outputlookup command if you want to append results.

Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/

View solution in original post

jconger
Splunk Employee
Splunk Employee

You can use the outputlookup command if you want to append results.

Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/

pepper_seattle
Path Finder

I know about outputlookup, but I'm not sure how to append a row with custom data. Most examples have you query your data and update tables with the results of the query. If I can't query for my data, then what do I do?

Looking into that tool, thanks for pointing it out!

bwlm
Path Finder

Another hack, is you could select one entry from the lookup table, modify the field values with "eval" commands, then append to the original lookup table.

Considering things-table.csv:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"

The following command will lookup the first entry, modify it, then append to the lookup table:
| inputlookup things-table.csv
| search thing=1
| eval thing="4",color="purple",weight="4.4"
| outputlookup append=t things-table.csv

Then "|inputlookup things-table.csv" will have the output:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"

0 Karma

jconger
Splunk Employee
Splunk Employee

You can do it in search as well. Let's say you have a CSV that was imported that looks like this:

thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"

Then, you can run the following search to view the CSV, append some made up results, dedup the data (by using stats count), and write it all back to the original CSV:

| inputlookup things.csv | append [ | stats count | eval thing=4 | eval color="purple" | eval weight=4.4 ] | stats count by thing color weight | fields - count | output lookup things.csv

After running that search, the CSV looks like this:

thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"

pepper_seattle
Path Finder

That worked! Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...