Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to update the blackout for three hosts(mep1,mep2,mep3) among the 30 hosts I have?

Miky
Explorer
‎08-17-2022 11:54 AM

Hi Guys,

I have a host_blackout.csv, and I want to update the blackout for three hosts(mep1,mep2,mep3) among the 30 hosts I have:

1) the new end_time should be updated to end of next week("08/28/202 11:00").

My output looks like this:

end_time

host

notes

start_time

08/18/2022 09:00

 mep1

INC000006

08/14/2022 23:00

08/11/2022 09:00

 mep2

INC000002

08/11/2022 20:15

08/12/2022 10:00

 mep3

INC000003

08/10/2022 12:00

08/10/2022 09:00

 mep4

INC000004

08/06/2022 23:00

08/05/2022 09:00

 mep5 INC0000012

10/27/2018 00:00

08/05/2022 09:00

 mep6 INC00000123

08/03/2022 23:00

08/05/2022 09:00

 mep7 INC000002537

10/27/2018 00:00

08/05/2022 09:00

 mep8 INC0000011

11/20/2018 00:00

08/05/2022 09:00

 mep9

 

Can you help please?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2022 01:41 PM

It's not possible to update a single entry in a CSV file - you have to update the entire file.  Fortunately, that's not difficult.  The steps are: 1) read the existing file; 2) make the desired changes; 3) rewrite the file.

| inputlookup host_blackout.csv
| <<your SPL to make the desired changes>>
| outputlookup host_blackout.csv
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Miky
Explorer
‎08-17-2022 01:54 PM

Thanks rich as always,

How would the SPL looks like to do the changes.

I'm stuck implementing that SPL language.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2022 05:23 AM

That's a big box of Depends.  It could be a simple eval:

| eval start_time = if(host="mep1", now(), start_time)

or something much more complex.  It depends on how you decide which row to update.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...