Refine your search:

Delete old data from lookupfile

1

Hi,

I have a lookup file which will get update daily(from a scheduled search ), I need keep only last 45 days data in it, means data which is added 45 days back needs to be deleted.(we have _time field in lookup file)

Please let me know if there is any other way to store the data(which will update daily ) with out using lookup file.

asked 21 Jan '12, 10:09

Ravan's gravatar image

Ravan
68114
accept rate: 100%

One Answer:
oldestnewestmost voted
4

This (should be) fairly trivial as part of your scheduled search that creates your lookup. I assume that your lookup is created roughly as follows:

some_search_terms | inputlookup append=true lookup.csv | 
some_other_stuff | outputlookup lookup.csv

Following this paradigm, you can insert something like this before the outputlookup:

| where _time >= now() - (86400 * 45)
link

answered 21 Jan '12, 10:38

dwaddle's gravatar image

dwaddle ♦
15.4k2924
accept rate: 33%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×290

Asked: 21 Jan '12, 10:09

Seen: 594 times

Last updated: 21 Jan '12, 10:38

Related questions

Delete old hosts from web interface (all indexed data)

Deleting data from summary index or any index?

Attempting to retire (delete) old data

How to delete a huge number of old events from the test data that has slipped in

delete command timesout and is very slow

Delete operations in splunkweb

how to really delete, NOT HIDE, data from splunk

Is there a way to delete old data from wide bucket spans

lookup data permanent?

Copyright © 2005-2012 Splunk Inc. All rights reserved.