topic Re: Using comparison logic to add / remove entries from a lookup table. in Splunk Search

How to use comparison logic to add / remove entries from a lookup table?

mark_cet — Tue, 14 Feb 2023 16:35:47 GMT

Hello again, my apologies for all of these questions.

I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend.

I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events.

If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup.

I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far.

E.G.

if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))

Is there a way to do this in a search?

Thank you for any assistance.

Re: Using comparison logic to add / remove entries from a lookup table.

richgalloway — Tue, 14 Feb 2023 15:42:49 GMT

SPL does not support branching commands. Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv | where action!="login" | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv

Re: How to use comparison logic to add / remove entries from a lookup table?

mark_cet — Tue, 14 Feb 2023 16:41:39 GMT

Perfect, thank you for clarifying!

Re: Using comparison logic to add / remove entries from a lookup table.

mark_cet — Wed, 15 Feb 2023 15:33:54 GMT

Sorry one more question. Can I use a field name in the where command?

| eval search_action="login"

| where action!=search_action

I gave it a try but it doesn't appear to work.

Thanks.

Re: Using comparison logic to add / remove entries from a lookup table.

richgalloway — Wed, 15 Feb 2023 16:38:15 GMT

Yes, the where command supports field names on both sides of the expression (unlike the search command).

Re: Using comparison logic to add / remove entries from a lookup table.

mark_cet — Fri, 17 Feb 2023 18:57:10 GMT

My apologies Rich, I am not able to get this to work if I use field names on both sides of the expression in my where command.

Is there a special way to identify that it is a field and not a value?

Thanks.

Re: Using comparison logic to add / remove entries from a lookup table.

mark_cet — Thu, 23 Feb 2023 14:57:08 GMT

I was not able to get the field names to work in the where command so I had to redo my lookup so I could use static values instead of the field names. The KV Store lookup appears to work much better when removing rows.

Thanks anyways.