I want to keep updating new records to Splunk lookup table and not writing records again for existing users, even if they come in search results. Lookup table structure : apiCallerID, ticketId My base search query is having mvexpand, mvindex & rex commands and then table so when I do "NOT" it does not allow me to any other way or corrections. index=test sourcetype=stats earliest=-5m@m latest=-0m@m| eval temp=ltrim(Response,"[") | eval temp1=rtrim(temp, "]") | eval temp2=split(temp1,"}")| mvexpand temp2| eval temp3=ltrim(temp2,",") | eval testData=mvindex(temp3,-1) | rex field= testData "userID:\s(?<apiCallerID>\d+)" | table apiCallerID NOT [|inputlookup LookuptableGeneratorForDSIDByTestID.csv| fields apiCallerID] Basically if the user is not there I want to add a ticket id along with user in lookup table and in future system will use this to raise any new tickets and prevent duplicate tickets for the existing user.
... View more