I am trying to append some custom IP Addresses to a lookup table of IP addresses
|inputlookup mk_ip_list | append [|stats count | eval description="testAppend" | eval ip_address="8.8.8.8"]
| stats count by description ip_address | fields - count | outputlookup mk_ip_list
description ip_address
Test IPs 103.000.000.77
Test IPs 103.000.000.94
Test IPs 104.000.000.32
Test IPs 158.000.000.106
testAppend 8.8.8.8
but if I try to list the lookup afterwards the new value does not show up
|inputlookup mk_ip_list
description ip_address
Test IPs 104.000.000.32
Test IPs 158.00.000.106
Test IPs 103.000.000.94
Test IPs 103.000.000.77
I am able to Update the lookup table directly in Splunk Enterprise Security (ES), so I must be authorized to update it. So what else do I need to do to update this lookup table?
Hello,
Try this please:
|inputlookup mk_ip_list | append [|stats count | eval description="testAppend" | eval ip_address="8.8.8.8"]
| fields - count | outputlookup append=true mk_ip_list
Give this a try
| gentimes start=-1 | eval description="testAppend" | table description | eval ip_address="8.8.8.8"
| outputlookup append=true mk_ip_list
Is there any scheduled search that is updating the lookup table file?
Still nothing added to the lookup table. In this case just the one record shows up on running the command, but when I do
|inputlookup mk_ip_list
I still only see the old list without the new record
There are no scheduled searches updating the lookup table. I created this one for the express purpose of learning how to manually populate a table with threat intelligence data.
having the same problem, ever figured this out?
Hi MonkeyK,
You may want to use the append argument in your outlookup command:
... | outputlookup append=true mk_ip_list
If set to true, outputlookup attempts to append search results to an existing .csv file or KV store collection. The default value is false.
Hope this helps. Thanks!
Hunter
Yes, I forgot that I started with append=true.
Without it my lookup table should have been replaced, but nothing changed.
With it my lookuptable should have gotten bigger, but nothing changed.