Solved: add field to lookup

sfurkan · ‎03-22-2021

Hi,

When an alarm is triggered, I want a field inside the event (e.g user) to be added to a preexisting lookup file.

How can I do?

Thanks,

gcusello · ‎03-22-2021

to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.

The way to do this depends on your situation:

if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",
if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,
if at least you have a kv store, you have to modify the kvstore follwowing the instructions at https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384.

Ciao.

Giuseppe

View solution in original post

sfurkan · ‎03-22-2021

One last question;

How can I add a query to avoid duplicate lines in the csv file? I used the dedup command, but this does not prevent duplicate lines in the csv file.

gcusello · ‎03-22-2021

Hi @sfurkan,

you have to update the timestamp in a lookup with two columns:

host
last connection,

when a condition is trggered, you could run something like this:

index=your_index your_condition
| eval host=lower(host)
| stats latest(_time) AS latest BY host
| append [ | inputlookup | eval host=lower(host) | fields host latest ]
| stats max(latest) As latest By host
| outputlookup your_lookup

In other words, you have to take the values from the search and from the lookup modifying only the values from the main search and savinf the results in the loolup.

If you could share your alert's search and the fields of your lookup I could be more precise

Ciao.

Giuseppe

gcusello · ‎03-22-2021

Hi @sfurkan,

to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.

The way to do this depends on your situation:

if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",
if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,
if at least you have a kv store, you have to modify the kvstore follwowing the instructions at https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384.

Ciao.

Giuseppe

gcusello · ‎03-22-2021

Hi @sfurkan,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma points are appreciated ;_)

sfurkan · ‎03-22-2021

Thanks,

I want to add a row to an existing column in the csv file. Existing records in the csv file should not be deleted.

For example, I want to take user information in the windows event and add it as a row.

Is it not possible to do it from the "trigger actions" section?

gcusello · ‎03-22-2021

Hi @sfurkan,

as I said, if you need to add an entire row, you can add to the end of your alert searcvh:

| outputlookup your_lookup.csv append=true

If instead you want to modifiy only one field of an existing row, the search is more complex.

Anyway it isn't possible to do it from the "trigger actions" section.

Ciao.

Giuseppe

add field to lookup

alert action

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake