Splunk Search

Updating a lookup table with new row ?

iamsplunker31
Path Finder

Hello All,

I have an existing lookup file newlookupfile.csv. I'm trying to update the lookupfile with new row. I didn't see any errors in search but I do not see the lookupfile updated. Can anyone please help. Here is the query I'm using

| inputlookup newlookupfile.csv | append [|stats count |eval Active=1 | eval Order=2 |eval GroupName="Homepage"
|eval LastUpdated=1572541638|eval Name="James" |eval ReportName="Temp" |eval Order=2 |eval tranID=1001
|eval tranName="NewTransaction"] | stats count by Active Order GroupName LastUpdated Name ReportName Order tranID tranName
|outputlookup newlookupfile.csv

0 Karma

arjunpkishore5
Motivator

If you're trying to do this through SPL, then use the following

|makeresults
| eval count=0
|eval Active=1 
| eval Order=2 
|eval GroupName="Homepage"
|eval LastUpdated=1572541638
|eval Name="James" 
|eval ReportName="Temp" 
|eval Order=2 
|eval tranID=1001
|eval tranName="NewTransaction"
| fields - _time
|outputlookup newlookupfile.csv append=true

There is also a Splunk app called Lookup editor, which let's you edit lookups easily - https://splunkbase.splunk.com/app/1724/

Hope this helps.
Cheers

0 Karma

to4kawa
Ultra Champion
| inputlookup newlookupfile.csv 
| append [|stats count 
|eval Active=1 
|eval Order=2 
|eval GroupName="Homepage"
|eval LastUpdated=1572541638
|eval Name="James" 
|eval ReportName="Temp" 
|eval tranID=1001
|eval tranName="NewTransaction"] 
| stats count by Active Order GroupName LastUpdated Name ReportName tranID tranName
|outputlookup newlookupfile.csv append=true
  1. There are identical field names Order.
  2. add append=true

The above has been corrected. How about this?

outputlookup

arjunpkishore5
Motivator

Upvote. 🙂

0 Karma

to4kawa
Ultra Champion

thanks @ajunpkishore5

0 Karma

aberkow
Builder

I would suggest checking out the subsearch to make sure the results are actually there. This should work if you have the syntax correct and the subsearch is returning anything. You can also experiment by not pulling in the csv and just using the | makeresults count=1 command to generate test data before you append on the other information.

Another option you can try is to use the append=t parameteron your search so you don't have to do a subsearch. This is a better option performance wise as subsearches are not particularly performant. Basically, format the search to be what you want (has the right columns) and then just use the | outputlookup newlookupfile.csv append=t command to add a new row.

Let me know if this helps!

arjunpkishore5
Motivator

upvoted !!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...