How to update the blackout for three hosts(mep1,me...

Miky · ‎08-17-2022

Hi Guys,

I have a host_blackout.csv, and I want to update the blackout for three hosts(mep1,mep2,mep3) among the 30 hosts I have:

1) the new end_time should be updated to end of next week("08/28/202 11:00").

My output looks like this:

end_time	host	notes	start_time
08/18/2022 09:00	mep1	INC000006	08/14/2022 23:00
08/11/2022 09:00	mep2	INC000002	08/11/2022 20:15
08/12/2022 10:00	mep3	INC000003	08/10/2022 12:00
08/10/2022 09:00	mep4	INC000004	08/06/2022 23:00
08/05/2022 09:00	mep5	INC0000012	10/27/2018 00:00
08/05/2022 09:00	mep6	INC00000123	08/03/2022 23:00
08/05/2022 09:00	mep7	INC000002537	10/27/2018 00:00
08/05/2022 09:00	mep8	INC0000011	11/20/2018 00:00
08/05/2022 09:00	mep9

Can you help please?

richgalloway · ‎08-17-2022

It's not possible to update a single entry in a CSV file - you have to update the entire file. Fortunately, that's not difficult. The steps are: 1) read the existing file; 2) make the desired changes; 3) rewrite the file.

| inputlookup host_blackout.csv
| <<your SPL to make the desired changes>>
| outputlookup host_blackout.csv

---
If this reply helps you, Karma would be appreciated.

Miky · ‎08-17-2022

Thanks rich as always,

How would the SPL looks like to do the changes.

I'm stuck implementing that SPL language.

Thanks!

richgalloway · ‎08-18-2022

That's a big box of Depends. It could be a simple eval:

| eval start_time = if(host="mep1", now(), start_time)

or something much more complex. It depends on how you decide which row to update.

---
If this reply helps you, Karma would be appreciated.

How to update the blackout for three hosts(mep1,mep2,mep3) among the 30 hosts I have?

other

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!