- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When an alarm is triggered, I want a field inside the event (e.g user) to be added to a preexisting lookup file.
How can I do?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sfurkan,
to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.
The way to do this depends on your situation:
- if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",
- if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,
- if at least you have a kv store, you have to modify the kvstore follwowing the instructions at https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last question;
How can I add a query to avoid duplicate lines in the csv file? I used the dedup command, but this does not prevent duplicate lines in the csv file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sfurkan,
you have to update the timestamp in a lookup with two columns:
- host
- last connection,
when a condition is trggered, you could run something like this:
index=your_index your_condition
| eval host=lower(host)
| stats latest(_time) AS latest BY host
| append [ | inputlookup | eval host=lower(host) | fields host latest ]
| stats max(latest) As latest By host
| outputlookup your_lookup
In other words, you have to take the values from the search and from the lookup modifying only the values from the main search and savinf the results in the loolup.
If you could share your alert's search and the fields of your lookup I could be more precise
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sfurkan,
to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.
The way to do this depends on your situation:
- if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",
- if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,
- if at least you have a kv store, you have to modify the kvstore follwowing the instructions at https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
I want to add a row to an existing column in the csv file. Existing records in the csv file should not be deleted.
For example, I want to take user information in the windows event and add it as a row.
Is it not possible to do it from the "trigger actions" section?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sfurkan,
as I said, if you need to add an entire row, you can add to the end of your alert searcvh:
| outputlookup your_lookup.csv append=true
If instead you want to modifiy only one field of an existing row, the search is more complex.
Anyway it isn't possible to do it from the "trigger actions" section.
Ciao.
Giuseppe