Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does Value Exist in KV Store

shayvdee
Explorer
‎08-14-2019 05:20 PM

Hi All,
Sorry, this might be an obvious one but I'm having trouble finding information on this specific problem.

I have a KV store named 'critical-servers' which contains a list of host name. In my data model I want to create a boolean value 'critical' which is assigned a value of True if the host who produced the event exists in the kvstore.

I seem to only be able to find examples of extracting values from the KVStore and not seeing if a value exists in the list.

Thanks in advance.
S.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-15-2019 10:27 AM

Create a Lookup Definition against your KVStore called something like my_lookup_definition.
Then create an Automatic Lookup to do this:

... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT <Server Field Name In Lookup> AS _critical_temp

Then create a Calculated Field like this:

... | eval critical=if(isnull(_critical_temp),"False", "True")

OR Better yet, eliminate the need for a Calculated Field entirely by configuring your KVStore to have a field called critical with every row having a value of True and then in your Lookup Definition set a default value of False and make your Automatic Lookup like this:

... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT critical

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-15-2019 10:27 AM

Create a Lookup Definition against your KVStore called something like my_lookup_definition.
Then create an Automatic Lookup to do this:

... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT <Server Field Name In Lookup> AS _critical_temp

Then create a Calculated Field like this:

... | eval critical=if(isnull(_critical_temp),"False", "True")

OR Better yet, eliminate the need for a Calculated Field entirely by configuring your KVStore to have a field called critical with every row having a value of True and then in your Lookup Definition set a default value of False and make your Automatic Lookup like this:

... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT critical
0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-14-2019 05:36 PM

I hope you trying to create the field 'critical' in an Splunk query. (Just confused with the word 'data model' in this context).

Assuming 'server_name' is the field name in your search and kvstore.

KVStore works mostly like a lookup table. You can use below SPL for your usecase. 

| [BASE SEARCH]
| eval server_name="server1"
| lookup critical-servers server_name OUTPUT server_name as server_name_from_kvstore
| eval critical_server=if(isnotnull(server_name_from_kvstore),"Yes","No")
0 Karma
Reply
Solved! Jump to solution

shayvdee
Explorer
‎08-14-2019 05:51 PM

I have a data model running where one of the extracted fields is 'host'.

I am wanting to add another field to the datamodel which is an Eval Expression. I want the eval to check the list of server names in the KVStore for a match of the 'host' field.

As a result I can query the datamodel in other searches by doing:
WHERE datamodel.server.critical=true

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-14-2019 06:24 PM

Automatic lookup might help you. But you need to define it for the list of sourcetypes used by the particular datamodel.

Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Makeyourlookupautomatic

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...