topic Re: Modify lookup cells by search command in Splunk Search

Modify lookup cells by search command

ICAP_RND — Tue, 29 Sep 2020 12:56:44 GMT

I have a lookup called FailuresList
It contains the following fields: date, site, text, excluded
I would like to modify the "excluded" from "No" to "Yes" of keys that their date equals to DateT extracted by the following search

index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N")

How shall I do it?

Re: Modify lookup cells by search command

muebel — Tue, 21 Feb 2017 15:06:54 GMT

Is this lookup kvstore of csv based?

Re: Modify lookup cells by search command

muebel — Tue, 21 Feb 2017 15:10:01 GMT

Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk.

If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG

Please let me know if this answers your question!

Re: Modify lookup cells by search command

woodcock — Tue, 21 Feb 2017 15:12:43 GMT

Assuming that the key is AppPID, try this:

index=clientlogs FailedApp= OR "WorkflowServer.CloseApplication pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication pid:" endswith="Application failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | fields AppPID dateT | append [|inputlookup MyLookupName] | stats values(*) AS * by AppPID | eval excluded = if((date=dateT), "Yes", excluded) | fields - dateT | outputlookup MyLookupName

Re: Modify lookup cells by search command

somesoni2 — Tue, 21 Feb 2017 15:31:29 GMT

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

Re: Modify lookup cells by search command

ICAP_RND — Tue, 21 Feb 2017 22:19:57 GMT

AppPID is not the key, therefore it didn't work for me. Any idea?

Re: Modify lookup cells by search command

ICAP_RND — Tue, 21 Feb 2017 22:57:40 GMT

Instead of where discard!="yes" you shall use where isnull(discard)
All the rest was perfectly matching. Thanks!