Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding a field to the table Lookup if there is no value

nalia_v
Loves-to-Learn Everything
‎06-12-2020 02:03 AM

Hello community.

There were a lot of questions of cases with lookups, but something among them I did not find my answer.

There is a table in Lookup - fgt_policy. 

The column1- is the policy number (field cfgobj in logs) and the column2- policy name.

fgtpol.jpg

The essence of the search query is that as soon as the policy is changed on the firewall, an allergy is triggered. There is no policy name in the firewall logs themselves, there is only a field with a number, so I created a table where I transferred all the names of our policies. Also, if a new code appears in the policy field (cfgobj), add it to the table fgt_policy. But in the current result, output only known event codes (cfgobj) with the name of the policy

Field in the firewall log with policy event code -cfgobj

So far it looks like this. The result also includes those codes for which the description in the column2 is not yet. 

fgtpol_1.jpg

I will add the name of the policy to the table with my hands when new codes appear in the field cfgobj.

Labels (1)
Labels
0 Karma
Reply

twesty
Path Finder
‎06-12-2020 03:23 AM

You can break this down into 3 parts

part 1 > run the inputlookup
part 2 > run your search to get the values you dont already have

you seem to have done this already but you just need to do it in the same search. Either a union or inputlookup > append [search] will work. Just make sure that your results contain the output from the lookup furst

then you need to merge the two results together stats first("Column 2") as "Column 2"  by "Column 1". This will update the rows which do not contain a value in column 2 but will leave the current values as-is.

Then you just need to run an outputlookup for the lookup file and you're done.  

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...