Hi,
I would like to update a lookup file with, for an example 10 new information, through Splunk Search only.
The table consists of 4 columns as below.
At the moment I am using the below search:
| gentimes start=-1
| fields comment, date, user, text
| eval comment="Update_Lookup_1", date="13/04/2019", user="User 1", text="Hello World 1"
| eval comment="Update_Lookup_2", date="13/04/2019", user="User 2", text="Hello World 2"
| eval comment="Update_Lookup_3", date="13/04/2019", user="User 3", text="Hello World 3"
| eval comment="Update_Lookup_4", date="13/04/2019", user="User 4", text="Hello World 4"
| eval comment="Update_Lookup_5", date="13/04/2019", user="User 5", text="Hello World 5"
| eval comment="Update_Lookup_6", date="13/04/2019", user="User 6", text="Hello World 6"
| eval comment="Update_Lookup_7", date="13/04/2019", user="User 7", text="Hello World 7"
| eval comment="Update_Lookup_8", date="13/04/2019", user="User 8", text="Hello World 8"
| eval comment="Update_Lookup_9", date="13/04/2019", user="User 9", text="Hello World 9"
| eval comment="Update_Lookup_10", date="13/04/2019", user="User 10", text="Hello World 10"
| table comment,date, user, text
| inputlookup append=true lookupfile_original.csv
| outputlookup updated_lookupfile.csv append=t
However, when I run the search, the updated_lookupfile.csv only reflects the 10th result (the eval results 1-9 is not added)
Any suggestions on how to do this via search? Thanks in advance
Edit: assume that fields comment and text contains random characters and not incremental
... View more