Alerting

add field to lookup

sfurkan
Explorer

Hi,

When an alarm is triggered, I want a field inside the event (e.g user) to be added to a preexisting lookup file.

How can I do?

Thanks,

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.

The way to do this depends on your situation:

  • if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",
  • if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,
  • if at least you have a kv store, you have to modify the kvstore follwowing the instructions at https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384.

Ciao.

Giuseppe

View solution in original post

sfurkan
Explorer

One last question;

How can I add a query to avoid duplicate lines in the csv file? I used the dedup command, but this does not prevent duplicate lines in the csv file.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

you have to update the timestamp in a lookup with two columns:

  • host
  • last connection,

when a condition is trggered, you could run something like this:

index=your_index your_condition
| eval host=lower(host)
| stats latest(_time) AS latest BY host
| append [ | inputlookup | eval host=lower(host) | fields host latest ]
| stats max(latest) As latest By host
| outputlookup your_lookup

In other words, you have to take the values from the search and from the lookup modifying only the values from the main search and savinf the results in the loolup.

If you could share your alert's search and the fields of your lookup I could be more precise

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

to do this, you have to modify the search in your alert adding at the end the row to modify in the lookup and using the outputlookup command.

The way to do this depends on your situation:

  • if you have to add a new row to the lookup, it's the easiest situation because you have to add to the outputlookup command the option "append=true",
  • if you have to modify an existing row, you have to create a new table, containing all the rows of the lookup, modifying only the row related to the alert and then use the output lookup the covers all the rows in the lookup,
  • if at least you have a kv store, you have to modify the kvstore follwowing the instructions at https://community.splunk.com/t5/Knowledge-Management/How-to-update-a-KV-store-field/m-p/298384.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma points are appreciated ;_)

0 Karma

sfurkan
Explorer

Thanks,

I want to add a row to an existing column in the csv file. Existing records in the csv file should not be deleted.

For example, I want to take user information in the windows event and add it as a row.

Is it not possible to do it from the "trigger actions" section?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sfurkan,

as I said, if you need to add an entire row, you can add to the end of your alert searcvh:

| outputlookup your_lookup.csv append=true

If instead you want to modifiy only one field of an existing row, the search is more complex.

Anyway it isn't possible to do it from the "trigger actions" section.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...