Output results to a CSV lookup
This action writes the results of a triggered alert or a run of a scheduled report to a CSV lookup file that you specify. The results can replace the existing file contents, or they can be appended to the existing file contents.
The Splunk software uses the
outputlookup command to write the search results to the CSV lookup file.
- Learn how to upload CSV lookup files and create CSV lookup definitions. See Define a CSV Lookup in Splunk Web in the Knowledge Manager Manual.
- You can configure the output results to lookup action when you create a new alert, edit the actions for an existing alert, or define or edit the schedule for a report. Follow one of the options below.
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit > Edit Alert for an existing alert. Define or edit the schedule of a report From the Reports page in the Search and Reporting app, select Edit > Edit schedule for a report.
- Click Add Actions and select Output results to lookup.
- Provide a File name of a CSV lookup file. You can provide the name of a CSV lookup file that has already been uploaded to your Splunk implementation, or you can provide a CSV lookup file name that is not currently uploaded.
If you provide a CSV lookup file name that has not been uploaded to your Splunk implementation, the Splunk platform creates a CSV file with the file name you provide. The Splunk platform then populates the new CSV file with the results of that first triggering search job.
To see a list of the CSV lookup files currently uploaded to your Splunk implementation, select Settings > Lookups > Lookup table files.
- Determine how you would like to have the Results written to the CSV lookup file.
Option Description Append Append the results returned by a run of the search to the contents of the CSV file. This is the default setting. Replace Replace the contents of the CSV file with the results returned by a run of the search.
- Click Save.
Use a webhook alert action
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209 (latest FedRAMP release), 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208
Feedback submitted, thanks!