添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
没读研的小蝌蚪  ·  Solved: How to use ...·  1 周前    · 
直爽的墨镜  ·  【运动会】风雨兼程:第63届运动会女子500 ...·  1 周前    · 
另类的冲锋衣  ·  使用红帽订阅管理 | Red Hat ...·  2 月前    · 
怕老婆的仙人球  ·  UI视觉设计的常用软件是什么?-即时设计·  2 月前    · 
文雅的四季豆  ·  11. 附录02: CV18xx使用指南 ...·  3 月前    · 
英俊的硬币  ·  Windows内核编程中的进程与线程管理 ...·  5 月前    · 
link管理  ›  Solved: How to add a new row to a lookup using a Splunk qu... - Splunk Community
splunk
https://community.splunk.com/t5/Splunk-Search/How-to-add-a-new-row-to-a-lookup-using-a-Splunk-query/m-p/429061
拉风的蘑菇
3 月前

Is there a Splunk query to add a new row or a new column to a lookup table?

I specifically ask for a query because I want my Python script to append rows automatically.

Thanks.

Please try below query (In below query assume that I have single column in CSV with header IP). 

<yourBaseSearch>
| eval ip="1.2.3.4"
| fields ip
| outputlookup append=t <existing_lookup.csv>

| inputlookup <existing_lookup.csv>
| append [ makeresults | eval ip="1.2.3.4"]
| fields ip
| outputlookup <existing_lookup.csv>

EDIT: Updated query so only ip field will be added/updated in CSV lookup.


 [your search which produces results of 1 or more rows]
| inputlookup append=true mylookup.csv
|table field_id, field_a, field_b
|dedup field_id
|outputlookup mylookup.csv

Using this method you can add both rows and columns if needed by including them in the table command. This will load the 'old copy' of the file, and re-write the file with all the rows/columns present in the table. 


Please try below query (In below query assume that I have single column in CSV with header IP).


<yourBaseSearch>
| eval ip="1.2.3.4"
| fields ip
| outputlookup append=t <existing_lookup.csv>

| inputlookup <existing_lookup.csv>
| append [ makeresults | eval ip="1.2.3.4"]
| fields ip
| outputlookup <existing_lookup.csv>

EDIT: Updated query so only ip field will be added/updated in CSV lookup.

						
As you are using python so first create splunk query using python, if you want to add more results then you can do something like this while creating query.


Create variable called ip and with all values delimited with semicolon so something like this ip="3.4.5.6;10.10.0.1" and then use below splunk query


| inputlookup <existing_lookup.csv>
| append [ makeresults | eval ip="3.4.5.6;10.10.0.1" ]
| table ip
| eval ip=split(ip,";")
| mvexpand ip
| dedup ip
| outputlookup <existing_lookup.csv>

and then fire above query in splunk using python script.

						Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or
						registered trademarks of Splunk Inc. in the United States and other countries. All other brand
						names, product names, or trademarks belong to their respective owners.
 
推荐文章
没读研的小蝌蚪  ·  Solved: How to use xml cdata tag for not displaying charac... - Splunk Community
1 周前
直爽的墨镜  ·  【运动会】风雨兼程:第63届运动会女子5000米、男子10000米长跑金牌诞生-华中农业大学南湖新闻网
1 周前
另类的冲锋衣  ·  使用红帽订阅管理 | Red Hat Product Documentation
2 月前
怕老婆的仙人球  ·  UI视觉设计的常用软件是什么?-即时设计
2 月前
文雅的四季豆  ·  11. 附录02: CV18xx使用指南 — TPU-MLIR 1.8-2-gf411c2bc5 文档
3 月前
英俊的硬币  ·  Windows内核编程中的进程与线程管理 - CSDN文库
5 月前
Link管理   ·   51好读   ·   Sov5搜索   ·   小百科
link管理 - 链接快照平台