Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update a lookup table for specific rows?

nazanin2016
Path Finder
‎01-25-2017 02:08 PM

I need to keep the name of all systems that have been detected for phishing in order to use it in another search,
so I update my lookup table with scheduled search as follow:

inputlookup phishing.csv | append [look for phishing logs]| outputlookup phishing.csv

I used append command to keep the previous rows, but I just need to keep each raw only for 1 week from the time it has been added to table (I mean give the time to live=1h)

Any idea?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-25-2017 02:39 PM

Try like this. This will add a column called addedtime to all rows with the time they were added (using scheduled search). The where filter will remove rows older than 1 week from now.

inputlookup phishing.csv | append [look for phishing logs ] | eval addedtime=coalesce(addedtime,now()) | where addedtime>relative_time(now(),"-1w") | outputlookup phishing.csv

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-25-2017 02:39 PM

Try like this. This will add a column called addedtime to all rows with the time they were added (using scheduled search). The where filter will remove rows older than 1 week from now.

inputlookup phishing.csv | append [look for phishing logs ] | eval addedtime=coalesce(addedtime,now()) | where addedtime>relative_time(now(),"-1w") | outputlookup phishing.csv
Reply
Solved! Jump to solution

nazanin2016
Path Finder
‎01-26-2017 09:22 AM

Great,thx,but then shouldn't we say where addedtime <

0 Karma
Reply
Solved! Jump to solution

nazanin2016
Path Finder
‎01-26-2017 09:00 AM

Great,thx,but then shouldn't we say where addedtime

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-26-2017 09:16 AM

I didn't get it. Did portion of your comment got truncated?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...