Solved: How do you create a static table for a lookup file...

_smp_ · ‎11-09-2018

I have kind of a silly question that I am embarrassed to admit has stumped me for a little while.

I have a small list of server IP addresses and names that I would like to put in a lookup table file. I could easily create this file outside of Splunk, but I would prefer to construct a Splunk search to ensure it is built in a consistent way. So I am trying to construct a search which builds a table of static values and pipes the output to '|outputlookup' generate the lookup file. But I can't seem to find the right syntax to build a simple table with a name and IP column. I've tried various combinations of eval, append, appendpipe and I just can't seem to find the right syntax. The table is very simple:

name,ip
server1,ip1
server2,ip2
server3,ip3

kmaron · ‎11-09-2018

This should get you what you want

| makeresults 
| eval name="server1" 
| eval ip="ip1" 
| append 
    [| makeresults 
    | eval name="server2" 
    | eval ip="ip2"] 
| append 
    [| makeresults 
    | eval name="server3" 
    | eval ip="ip3"] 
| fields - _time | outputlookup filename

View solution in original post

kmaron · ‎11-09-2018

This should get you what you want

| makeresults 
| eval name="server1" 
| eval ip="ip1" 
| append 
    [| makeresults 
    | eval name="server2" 
    | eval ip="ip2"] 
| append 
    [| makeresults 
    | eval name="server3" 
    | eval ip="ip3"] 
| fields - _time | outputlookup filename

_smp_ · ‎11-09-2018

sigh

That's why I was embarrassed. I knew it would be simple. Thanks!!

kmaron · ‎11-09-2018

eh no need to be embarrassed. I wasn't sure I remembered how to do it 🙂

How do you create a static table for a lookup file?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms