Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append key/value pairs to a kvstore lookup?

jwalzerpitt
Influencer
‎10-07-2022 07:05 AM

I have a search that leverages a kvstore lookup that takes the src IP and then checks the lookup to see what core, content, and zone the IP is associated with:

 

| lookup zone_lookup cidr_range as src
| fillnull value=NULL
| search context!="" core!="" zone!=""
| eval core=coalesce(core,"null") 
| eval context=coalesce(context,"null") 
| eval zone=coalesce(zone,"null")

 

Unfortunately, we do not have a ROA for this info so we have populated the kvstore lookup from various sources as best we can, but sometimes we'll see src IPs with no zone listed. I do have a table I keep that allows me to fill in those blanks and it's a simple table as follows:

 

cidr_range	zone
x.x.x.x/16	zone1
y.y.y.y/24	zone2
z.z.z.z/24	zone3

 

I'd like to create a search that appends my lookup with this data - how would I write that search?

Thx

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-07-2022 08:23 AM

Once you upload your spreadsheet as a lookup csv,  you can access it in a search. Here's how you can write the search to update the kvstore.

Assuming that the fieldnames are cidr_range and zone:

| inputlookup spreadsheet_data.csv
| lookup zone_lookup cidr_range OUTPUT zone AS zone2
| search NOT zone2=*
| table cidr_range zone

 Once you've validated the results, you can update the kvstore by adding the following line to the end of the search.

| outputlookup zone_lookup append=true

  

View solution in original post

Reply
Solved! Jump to solution

johnhuang
Motivator
‎10-07-2022 07:38 AM

Few questions:

I do have a table I keep that allows me to fill.....

By table do you mean index or lookup?

I'd like to create a search that appends my lookup with this data 

By append, did you mean 1. you want this data to enrich the current search, or 2. you want to append to the kvstore lookup as new rows, or 3. you want to update the existing kvstore null records?

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-07-2022 07:46 AM

Great questions and allow me to clarify:

  • I have this data in a spreadsheet that I simply refer back to
  • I want to append to the kvstore lookup as new rows as the data I have in my spreadsheet  doesn't exist in the kvstore

For example, I see src IPs that have no zone associated with them because that data is not in the kvstore, but in my spreadsheet so I'd like to append that data so it's in the kvstore/lookup

Hope this helps

Thx

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-07-2022 08:23 AM

Once you upload your spreadsheet as a lookup csv,  you can access it in a search. Here's how you can write the search to update the kvstore.

Assuming that the fieldnames are cidr_range and zone:

| inputlookup spreadsheet_data.csv
| lookup zone_lookup cidr_range OUTPUT zone AS zone2
| search NOT zone2=*
| table cidr_range zone

 Once you've validated the results, you can update the kvstore by adding the following line to the end of the search.

| outputlookup zone_lookup append=true

  

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-11-2022 03:51 AM

Thx for the solution!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...