Solved: How to use comparison logic to add / remove entrie...

mark_cet · ‎02-14-2023

Hello again, my apologies for all of these questions.

I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend.

I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events.

If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup.

I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far.

E.G.

if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))

Is there a way to do this in a search?

Thank you for any assistance.

richgalloway · ‎02-14-2023

SPL does not support branching commands. Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mark_cet · ‎02-14-2023

Perfect, thank you for clarifying!

richgalloway · ‎02-14-2023

SPL does not support branching commands. Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

---
If this reply helps you, Karma would be appreciated.

mark_cet · ‎02-15-2023

Sorry one more question. Can I use a field name in the where command?

| eval search_action="login"

| where action!=search_action

I gave it a try but it doesn't appear to work.

Thanks.

richgalloway · ‎02-15-2023

Yes, the where command supports field names on both sides of the expression (unlike the search command).

---
If this reply helps you, Karma would be appreciated.

mark_cet · ‎02-17-2023

My apologies Rich, I am not able to get this to work if I use field names on both sides of the expression in my where command.

Is there a special way to identify that it is a field and not a value?

Thanks.

mark_cet · ‎02-23-2023

I was not able to get the field names to work in the where command so I had to redo my lookup so I could use static values instead of the field names. The KV Store lookup appears to work much better when removing rows.

Thanks anyways.

How to use comparison logic to add / remove entries from a lookup table?

lookup

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...