Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update a lookup table with certain fields but leave rest of the columns with its custom values

justinchen
Explorer
‎07-16-2020 01:10 AM

Hi There,

I have a lookup table that generate one lookup table yet it has some custom column that do not have values by default, and I add custom values to them.

The columns which I want to update by SPL are

hostindexfirstTimelastTimetotalCount

 

The columns which I want to update their values manually are:

accepted_deltais_expected

 

Below is a screenshot of this table.

justinchen_1-1594886376688.png

Currently we are using the following daily SPL to update this table, but I am really bad at SPL, the bug is that it will just overwrite everything that in this lookup table and all my custom values (columns of accepted_delta, is_expected) all gone.

| tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index!="main" by index host
| fields host index firstTime lastTime totalCount accepted_delta is_expected

| fillnull value=1000000000 accepted_delta
| fillnull value="false" is_expected
| outputlookup  nonforwarderhost.csv

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

justinchen
Explorer
‎07-16-2020 07:35 PM

I have tuned the SPL with:

| tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index!="main" by index host
| join overwrite=t type=outer
[inputlookup nonforwarderhost.csv
| fields index host accepted_delta is_expected]
| fields index host firstTime lastTime totalCount accepted_delta is_expected
| fillnull value=1000000000 accepted_delta
| fillnull value="FALSE" is_expected
| outputlookup nonforwarderhost.csv

 

And now this is working as expected. 😀

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2020 01:46 AM

Hi @justinchen,

probably in the shared search there's something missing because there's only one "]".

Anyway, you have to define the values in your lookup using fields or table command before outputlookup, listing all the fields you need.

to be sure that also the missing fields are present, you could use eval:

| tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index!="main" by index host
| fillnull accepted_delta 
| fillnull is_expected
| table host index firstTime lastTime totalCount accepted_delta is_expected
| outputlookup  nonforwarderhost.csv

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

justinchen
Explorer
‎07-16-2020 06:23 PM

 

Thanks you @gcusello  that you pointed out my error in the SPL. I have edited that. Yet this still update the filelds with my custom values with column(accepted_delta and is_expected).

I will keep this question to you and myself. I am certain is doable but need some effort to find out how.

🙂

 

0 Karma
Reply
Solved! Jump to solution
Solution

justinchen
Explorer
‎07-16-2020 07:35 PM

I have tuned the SPL with:

| tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index!="main" by index host
| join overwrite=t type=outer
[inputlookup nonforwarderhost.csv
| fields index host accepted_delta is_expected]
| fields index host firstTime lastTime totalCount accepted_delta is_expected
| fillnull value=1000000000 accepted_delta
| fillnull value="FALSE" is_expected
| outputlookup nonforwarderhost.csv

 

And now this is working as expected. 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top