Splunk Search

How to use comparison logic to add / remove entries from a lookup table?

mark_cet
Path Finder

Hello again, my apologies for all of these questions.

I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend.

I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events.

If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup.

I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far.

E.G.

if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))

 

Is there a way to do this in a search?

Thank you for any assistance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

SPL does not support branching commands.  Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mark_cet
Path Finder

Perfect, thank you for clarifying!

richgalloway
SplunkTrust
SplunkTrust

SPL does not support branching commands.  Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

 

---
If this reply helps you, Karma would be appreciated.

mark_cet
Path Finder

Sorry one more question. Can I use a field name in the where command?

| eval search_action="login"

| where action!=search_action

I gave it a try but it doesn't appear to work.

 

Thanks.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the where command supports field names on both sides of the expression (unlike the search command).

---
If this reply helps you, Karma would be appreciated.
0 Karma

mark_cet
Path Finder

My apologies Rich, I am not able to get this to work if I use field names on both sides of the expression in my where command.

Is there a special way to identify that it is a field and not a value?

 

Thanks.

0 Karma

mark_cet
Path Finder

I was not able to get the field names to work in the where command so I had to redo my lookup so I could use static values instead of the field names. The KV Store lookup appears to work much better when removing rows.

 

Thanks anyways.

 

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...