Solved: How to update a lookup table for specific rows?

nazanin2016 · ‎01-25-2017

I need to keep the name of all systems that have been detected for phishing in order to use it in another search,
so I update my lookup table with scheduled search as follow:

inputlookup phishing.csv | append [look for phishing logs]| outputlookup phishing.csv

I used append command to keep the previous rows, but I just need to keep each raw only for 1 week from the time it has been added to table (I mean give the time to live=1h)

Any idea?

somesoni2 · ‎01-25-2017

Try like this. This will add a column called addedtime to all rows with the time they were added (using scheduled search). The where filter will remove rows older than 1 week from now.

inputlookup phishing.csv | append [look for phishing logs ] | eval addedtime=coalesce(addedtime,now()) | where addedtime>relative_time(now(),"-1w") | outputlookup phishing.csv

View solution in original post

somesoni2 · ‎01-25-2017

Try like this. This will add a column called addedtime to all rows with the time they were added (using scheduled search). The where filter will remove rows older than 1 week from now.

inputlookup phishing.csv | append [look for phishing logs ] | eval addedtime=coalesce(addedtime,now()) | where addedtime>relative_time(now(),"-1w") | outputlookup phishing.csv

nazanin2016 · ‎01-26-2017

Great,thx,but then shouldn't we say where addedtime <

nazanin2016 · ‎01-26-2017

Great,thx,but then shouldn't we say where addedtime

somesoni2 · ‎01-26-2017

I didn't get it. Did portion of your comment got truncated?

How to update a lookup table for specific rows?

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring