Splunk Search

How to update particular row of existing lookup csv ?

patra966
Path Finder

I have existing lookup csv. I want to update a row with new value.
ID Name Location
549 Test_1 Bangalore
549 Test_2 Delhi
729 Test_3 Mumbai
549 Test_4 Bangalore
729 Test_5 Bangalore

Test_4 will be replace with Test_8 and my lookup table will be look like as below

ID Name Location
549 Test_1 Bangalore
549 Test_2 Delhi
729 Test_3 Mumbai
549 Test_8 Bangalore
729 Test_5 Bangalore

How can I achieve it through search query.

Regards
Raja

Tags (2)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The basic approach is to read in the CSV file, change what needs to be changed, and then re-write the file.

| inputlookup my.csv
| eval Name = if(Name=="Test_4", "Test_8", Name)
| outputlookup my.csv
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The basic approach is to read in the CSV file, change what needs to be changed, and then re-write the file.

| inputlookup my.csv
| eval Name = if(Name=="Test_4", "Test_8", Name)
| outputlookup my.csv
---
If this reply helps you, Karma would be appreciated.

patra966
Path Finder

Let consider another scenario.

If my Name column suppose to be "Test Name".

Case-1:

| inputlookup my.csv
| eval "Test Name" = if("Test Name"=="Test_4", "Test_8", "Test Name")
| outputlookup my.csv

For this I am getting like below:
ID Test Name Location
549 Test Name Bangalore
549 Test Name Delhi
729 Test Name Mumbai
549 Test Name Bangalore
729 Test Name Bangalore

Case- 2:

| inputlookup my.csv
| eval Test Name = if(Test Name=="Test_4", "Test_8", Test Name)
| outputlookup my.csv
Getting error for this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...