Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Update kvstore

javier_reina
Explorer
‎05-11-2021 12:49 AM

Good morning,

We are trying to use a kvstore to store data when performing a query to later query it in a dashboard.

The kvstore has the following data:

Subcontrols | Value1 | Value2
1.1                    | 100       | 99
1.2                    | 200       | 80
1.3                    |99           | 98

Reviewing the documentation and following the examples we can enter a number manually in the query and change the value using a | eval :

| inputlookup ciskvstore | eval key=_key | where SubControls="1.1" | eval Value2=526 | outputlookup ciskvstore append=True

And the result would be the following:

Subcontrols | Value1 | Value2
1.1                    | 100       | 526
1.2                    | 200       | 80
1.3                    |99           | 98

 

The problem appears when we try to update the Value2 field of a Subcontrol from another query:

EX:

| inputlookup ciskvstore append=true | where SubControls="1.1" | append [| search index=paloalto sourcetype="pan:threat" | stats count as Value2 ] | outputlookup ciskvstore append=true

The result in the kvstore would be the following:

Subcontrols | Value1 | Value2
1.1                    | 100       | 526
1.2                    | 200       | 80
1.3                    |99           | 98
                                            | 396


Could someone help me and tell me how to correctly perform the query so that from another query I can write the Value2 field of a specific Subcontrol please?

 

Thank you very much in advance,

Labels (2)
Labels
0 Karma
Reply

javier_reina
Explorer
‎06-04-2021 12:32 AM

 

Good morning @kamlesh_vaghela 

In a kv store we have 3 columns: Subcontrol, Value1 and Value2.

We are trying to calculate the percentage of Value1 and Value2 for each of the rows with a | eval and that creates new fields with the percentage, for example:

 

javier_reina_0-1622791933341.png

 

 

Expected result:

Subcontrol1%=0
Subcontrol2%=0
Subcontrol3%=100

 

Do you know how to perform the query to get the percentages in a new field for each row?


Greetings and thank you very much in advance.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-04-2021 01:04 AM

@javier_reina 

Have you tried eval ?

| eval percentage = round((value1/value2)*100)

 

KV 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-11-2021 01:58 AM

@javier_reina 

 

Can you please try this?

index=paloalto sourcetype="pan:threat" 
| stats count as Value2
| appendcols [| inputlookup ciskvstore 
| eval key=_key 
| where SubControls="1.1"] | outputlookup ciskvstore append=true key_field=key
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...