Knowledge Management

How to append key/value pairs to a kvstore lookup?

jwalzerpitt
Influencer

I have a search that leverages a kvstore lookup that takes the src IP and then checks the lookup to see what core, content, and zone the IP is associated with:

 

| lookup zone_lookup cidr_range as src
| fillnull value=NULL
| search context!="" core!="" zone!=""
| eval core=coalesce(core,"null") 
| eval context=coalesce(context,"null") 
| eval zone=coalesce(zone,"null")

 

Unfortunately, we do not have a ROA for this info so we have populated the kvstore lookup from various sources as best we can, but sometimes we'll see src IPs with no zone listed. I do have a table I keep that allows me to fill in those blanks and it's a simple table as follows:

 

cidr_range	zone
x.x.x.x/16	zone1
y.y.y.y/24	zone2
z.z.z.z/24	zone3

 

I'd like to create a search that appends my lookup with this data - how would I write that search?

Thx

Labels (1)
Tags (3)
0 Karma
1 Solution

johnhuang
Motivator

Once you upload your spreadsheet as a lookup csv,  you can access it in a search. Here's how you can write the search to update the kvstore.

Assuming that the fieldnames are cidr_range and zone:

| inputlookup spreadsheet_data.csv
| lookup zone_lookup cidr_range OUTPUT zone AS zone2
| search NOT zone2=*
| table cidr_range zone

 Once you've validated the results, you can update the kvstore by adding the following line to the end of the search.

| outputlookup zone_lookup append=true

  

View solution in original post

johnhuang
Motivator

Few questions:

I do have a table I keep that allows me to fill.....

By table do you mean index or lookup?

I'd like to create a search that appends my lookup with this data 

By append, did you mean 1. you want this data to enrich the current search, or 2. you want to append to the kvstore lookup as new rows, or 3. you want to update the existing kvstore null records?

jwalzerpitt
Influencer

Great questions and allow me to clarify:

  • I have this data in a spreadsheet that I simply refer back to
  • I want to append to the kvstore lookup as new rows as the data I have in my spreadsheet  doesn't exist in the kvstore

For example, I see src IPs that have no zone associated with them because that data is not in the kvstore, but in my spreadsheet so I'd like to append that data so it's in the kvstore/lookup

Hope this helps

Thx

0 Karma

johnhuang
Motivator

Once you upload your spreadsheet as a lookup csv,  you can access it in a search. Here's how you can write the search to update the kvstore.

Assuming that the fieldnames are cidr_range and zone:

| inputlookup spreadsheet_data.csv
| lookup zone_lookup cidr_range OUTPUT zone AS zone2
| search NOT zone2=*
| table cidr_range zone

 Once you've validated the results, you can update the kvstore by adding the following line to the end of the search.

| outputlookup zone_lookup append=true

  

jwalzerpitt
Influencer

Thx for the solution!

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...