Splunk Search

How to use comparison logic to add / remove entries from a lookup table?

mark_cet
Path Finder

Hello again, my apologies for all of these questions.

I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend.

I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events.

If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup.

I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far.

E.G.

if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))

 

Is there a way to do this in a search?

Thank you for any assistance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

SPL does not support branching commands.  Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mark_cet
Path Finder

Perfect, thank you for clarifying!

richgalloway
SplunkTrust
SplunkTrust

SPL does not support branching commands.  Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

 

---
If this reply helps you, Karma would be appreciated.

mark_cet
Path Finder

Sorry one more question. Can I use a field name in the where command?

| eval search_action="login"

| where action!=search_action

I gave it a try but it doesn't appear to work.

 

Thanks.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the where command supports field names on both sides of the expression (unlike the search command).

---
If this reply helps you, Karma would be appreciated.
0 Karma

mark_cet
Path Finder

My apologies Rich, I am not able to get this to work if I use field names on both sides of the expression in my where command.

Is there a special way to identify that it is a field and not a value?

 

Thanks.

0 Karma

mark_cet
Path Finder

I was not able to get the field names to work in the where command so I had to redo my lookup so I could use static values instead of the field names. The KV Store lookup appears to work much better when removing rows.

 

Thanks anyways.

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...