topic Re: outputlookup append one field but not another in Splunk Search

outputlookup append one field but not another

daniel_althoff8 — Fri, 07 Aug 2020 20:59:17 GMT

I am trying to write a search that will update a lookup asset table, with an additional table column metric (weight1). However, I want to be able to append the asset column, without the 2nd column being appended.

Is this possible?

example:

index=* host=* | table host weight1| dedup host | rename host AS asset| outputlookup append=false asset_score.csv

This will run as a saved search to update the lookup table periodically.

However, if I modify the "weight1" column values in lookupeditor, the changes get wiped out whenever the above saved search runs.

Any suggestions?

Re: outputlookup append one field but not another

richgalloway — Fri, 07 Aug 2020 21:08:46 GMT

The outputlookup command replaces the entire lookup file, unless you the append=true option.

To replace parts of the lookup, you have to read in the lookup file, make the changes using SPL, and then write the lookup. That looks like this:

This query should retain rows from the lookup file while adding new hosts from the search.

Re: outputlookup append one field but not another

daniel_althoff8 — Fri, 07 Aug 2020 21:35:48 GMT

The above suggestion still wipes out the "weight1" values from the lookup editor every time that search is ran.

The goal is this---

Create a search that creates a lookup table of all hosts in the environment, and assign a value to each host. The search will run on a schedule so that any time a new host is created, the lookup table gets populated with that new host/ asset.

I want to assign a # value (that can be edited) to each host in the lookup table, that can be used and queried against for other metrics later on.

So the search needs to populate just the "asset" column, but not modify the "weight" column everytime the search is ran.

Re: outputlookup append one field but not another

richgalloway — Sat, 08 Aug 2020 23:29:44 GMT

Let's try something a little different.

After the sort we should have a list of hosts and weights.

foo 10 foo 0 bar 5 bar 0 baz 0

Dedup will yield the unique host names, along with their associated weights.

foo 10 bar 5 baz 0

Re: outputlookup append one field but not another

daniel_althoff8 — Mon, 10 Aug 2020 21:33:13 GMT

Unfortunately, I am still getting the same issue. Where every time the search is ran, now the eval stanza forces the weight back to 0.

I need to be able to edit the lookup table, but when the search runs, my edits wont change.

The goal is to run a saved search to automatically add any new host (and not duplicate the host list) to the lookup table list with a default weight value, and then modify the weight values manually, but not have them revert back to the default weight value.