Hi Guys !!
Today, we will discuss how to create or update lookup file using splunk report.
We have created a report named “Update Lookup Report”, with the below query,
index=_internal sourcetype=splunkd_ui_access | timechart span=5min count by method
Now, we will schedule this report. So, click on the “Edit” option and click on “Edit schedule”.
NOTE: Only scheduled report can be used to create or update lookup file.
Now, click on the checkbox to schedule the report.
Here, we have used the cron schedule “0-59/5 * * * *” and the time range as “Last 5 minutes”, which signifies that the report will run every 5th minute from 0-59 with last 5 minutes data.
Now, click on the “Add Actions” and select the option, “Output results to lookup”.
Now, give a file name which you want to create and if the file already exists it will be updated.
Now, we have two options here, Append or Replace.
Append -> Append will append the new result set every time the report runs.
Replace -> Replace will replace the whole file with the new result set every time the report runs. Example of Replace:
Here, we have used “update_lookup_report_replace.csv” and “Replace” option and saved the report.
If you see in the above two images, the content of the lookup file “update_lookup_report_replace.csv” is replaced with new data with every time the report runs.
Example of Append:
Here, we have change the lookup file name to “update_lookup_report_append.csv” in the same report and selected the “Append” option and saved the report.
As, you can see in the above images, the content of the lookup file “update_lookup_report_append.csv” is update means, the new result set is appended in the lookup file.
Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.
Happy Splunking !!