https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544775#M10346 <P>One last question;</P><P>How can I add a query to avoid duplicate lines in the csv file? I used the dedup command, but this does not prevent duplicate lines in the csv file.</P> Mon, 22 Mar 2021 13:43:21 GMT sfurkan 2021-03-22T13:43:21Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544742#M10340 <P>Hi,</P><P>When an alarm is triggered, I want a field inside the event (e.g user) to be added to a preexisting lookup file.</P><P>How can I do?</P><P>Thanks,</P> Mon, 22 Mar 2021 08:09:06 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544742#M10340 sfurkan 2021-03-22T08:09:06Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544745#M10341 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231310">@sfurkan</a>,</P><P>to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.</P><P>The way to do this depends on your situation:</P><UL><LI>if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",</LI><LI>if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,</LI><LI>if at least you have a kv store, you have to modify the kvstore follwowing the instructions at&nbsp;<A href="https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384" target="_blank">https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384</A>.</LI></UL><P>Ciao.</P><P>Giuseppe</P> Mon, 22 Mar 2021 08:57:36 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544745#M10341 gcusello 2021-03-22T08:57:36Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544758#M10342 <P>Thanks,</P><P>I want to add a row to an existing column in the csv file.&nbsp;Existing records in the csv file should not be deleted.</P><P>For example, I want to take user information in the windows event and add it as a row.</P><P>Is it not possible to do it from the "trigger actions" section?</P> Mon, 22 Mar 2021 12:29:31 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544758#M10342 sfurkan 2021-03-22T12:29:31Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544764#M10343 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231310">@sfurkan</a>,</P><P>as I said, if you need to add an entire row, you can add to the end of your alert searcvh:</P><LI-CODE lang="markup">| outputlookup your_lookup.csv append=true</LI-CODE><P>If instead you want to modifiy only one field of an existing row, the search is more complex.</P><P>Anyway&nbsp;<SPAN>it isn't possible to do it from the "trigger actions" section.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Mon, 22 Mar 2021 13:00:23 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544764#M10343 gcusello 2021-03-22T13:00:23Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544774#M10345 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231310">@sfurkan</a>,</P><P>good for you.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma points are appreciated ;_)</P> Mon, 22 Mar 2021 13:40:32 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544774#M10345 gcusello 2021-03-22T13:40:32Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544775#M10346 <P>One last question;</P><P>How can I add a query to avoid duplicate lines in the csv file? I used the dedup command, but this does not prevent duplicate lines in the csv file.</P> Mon, 22 Mar 2021 13:43:21 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544775#M10346 sfurkan 2021-03-22T13:43:21Z https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544776#M10347 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231310">@sfurkan</a>,</P><P>you have to update the timestamp in a lookup with two columns:</P><UL><LI>host</LI><LI>last connection,</LI></UL><P>when a condition is trggered, you could run something like this:</P><LI-CODE lang="markup">index=your_index your_condition | eval host=lower(host) | stats latest(_time) AS latest BY host | append [ | inputlookup | eval host=lower(host) | fields host latest ] | stats max(latest) As latest By host | outputlookup your_lookup</LI-CODE><P>In other words, you have to take the values from the search and from the lookup modifying only the values from the main search and savinf the results in the loolup.</P><P>If you could share your alert's search and the fields of your lookup I could be more precise</P><P>Ciao.</P><P>Giuseppe</P> Mon, 22 Mar 2021 13:55:22 GMT https://community.splunk.com/t5/Alerting/add-field-to-lookup/m-p/544776#M10347 gcusello 2021-03-22T13:55:22Z