Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Does Value Exist in KV Store
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Sorry, this might be an obvious one but I'm having trouble finding information on this specific problem.
I have a KV store named 'critical-servers' which contains a list of host name. In my data model I want to create a boolean value 'critical' which is assigned a value of True if the host who produced the event exists in the kvstore.
I seem to only be able to find examples of extracting values from the KVStore and not seeing if a value exists in the list.
Thanks in advance.
S.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a Lookup Definition against your KVStore called something like my_lookup_definition.
Then create an Automatic Lookup to do this:
... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT <Server Field Name In Lookup> AS _critical_temp
Then create a Calculated Field like this:
... | eval critical=if(isnull(_critical_temp),"False", "True")
OR Better yet, eliminate the need for a Calculated Field entirely by configuring your KVStore to have a field called critical with every row having a value of True and then in your Lookup Definition set a default value of False and make your Automatic Lookup like this:
... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT critical
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a Lookup Definition against your KVStore called something like my_lookup_definition.
Then create an Automatic Lookup to do this:
... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT <Server Field Name In Lookup> AS _critical_temp
Then create a Calculated Field like this:
... | eval critical=if(isnull(_critical_temp),"False", "True")
OR Better yet, eliminate the need for a Calculated Field entirely by configuring your KVStore to have a field called critical with every row having a value of True and then in your Lookup Definition set a default value of False and make your Automatic Lookup like this:
... | lookupmy_lookup_definition <Server Field Name In Lookup> <Server Field Name In Data> OUTPUT critical
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope you trying to create the field 'critical' in an Splunk query. (Just confused with the word 'data model' in this context).
Assuming 'server_name' is the field name in your search and kvstore.
KVStore works mostly like a lookup table. You can use below SPL for your usecase.
| [BASE SEARCH]
| eval server_name="server1"
| lookup critical-servers server_name OUTPUT server_name as server_name_from_kvstore
| eval critical_server=if(isnotnull(server_name_from_kvstore),"Yes","No")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a data model running where one of the extracted fields is 'host'.
I am wanting to add another field to the datamodel which is an Eval Expression. I want the eval to check the list of server names in the KVStore for a match of the 'host' field.
As a result I can query the datamodel in other searches by doing:
WHERE datamodel.server.critical=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automatic lookup might help you. But you need to define it for the list of sourcetypes used by the particular datamodel.
Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Makeyourlookupautomatic
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
