Splunk Search

Why am I unable to append a lookup table with OUTPUTLOOKUP?

MonkeyK
Builder

I am trying to append some custom IP Addresses to a lookup table of IP addresses

|inputlookup mk_ip_list | append [|stats count | eval description="testAppend" | eval ip_address="8.8.8.8"]
| stats count by description ip_address | fields - count | outputlookup mk_ip_list

description ip_address
Test IPs        103.000.000.77
Test IPs        103.000.000.94
Test IPs        104.000.000.32
Test IPs        158.000.000.106
testAppend    8.8.8.8

but if I try to list the lookup afterwards the new value does not show up
|inputlookup mk_ip_list

description ip_address
Test IPs        104.000.000.32
Test IPs        158.00.000.106
Test IPs        103.000.000.94
Test IPs        103.000.000.77

I am able to Update the lookup table directly in Splunk Enterprise Security (ES), so I must be authorized to update it. So what else do I need to do to update this lookup table?

0 Karma

TISKAR
Builder

Hello,

Try this please:

|inputlookup mk_ip_list | append [|stats count | eval description="testAppend" | eval ip_address="8.8.8.8"]
| fields - count | outputlookup append=true mk_ip_list
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

| gentimes start=-1 | eval description="testAppend" | table description | eval ip_address="8.8.8.8"
| outputlookup append=true mk_ip_list

Is there any scheduled search that is updating the lookup table file?

0 Karma

MonkeyK
Builder

Still nothing added to the lookup table. In this case just the one record shows up on running the command, but when I do
|inputlookup mk_ip_list
I still only see the old list without the new record

There are no scheduled searches updating the lookup table. I created this one for the express purpose of learning how to manually populate a table with threat intelligence data.

0 Karma

esmonder
Path Finder

having the same problem, ever figured this out?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi MonkeyK,

You may want to use the append argument in your outlookup command:

... | outputlookup append=true mk_ip_list

If set to true, outputlookup attempts to append search results to an existing .csv file or KV store collection. The default value is false.

Hope this helps. Thanks!
Hunter

MonkeyK
Builder

Yes, I forgot that I started with append=true.

Without it my lookup table should have been replaced, but nothing changed.

With it my lookuptable should have gotten bigger, but nothing changed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...