Splunk Search

How to use comparison logic to add / remove entries from a lookup table?

mark_cet
Path Finder

Hello again, my apologies for all of these questions.

I have a lookup table called login_sessions.csv which will keep track of allowed login sessions. It has the following columns UID, sessionstart, and sessionend.

I would like to add and remove entries to the lookup table depending on the value of a field called "action" in the events.

If the value of action is "login" then I would like to add the userID, session_start, session_end fields from the event into the login_sessions.csv lookup, and if the value is "logoff" then I would like to remove the existing entry from the lookup.

I was hoping I could use something like an if or case statement to do this, but I have only seen them used with eval and I haven't had much luck so far.

E.G.

if(action=="login", (inputlookup append=true login_sessions.csv | eval UID=userID, sessionstart=session_start, sessionend=session_end | outputlookup login_sessions.csv))

 

Is there a way to do this in a search?

Thank you for any assistance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

SPL does not support branching commands.  Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mark_cet
Path Finder

Perfect, thank you for clarifying!

richgalloway
SplunkTrust
SplunkTrust

SPL does not support branching commands.  Branching is only supported within the eval, where, and fieldformat commands.

To remove lines from a lookup table, use the where command to filter out unwanted result and write the remainder back to the lookup.

| inputlookup append=true login_sessions.csv
| where action!="login"
| eval UID=userID, sessionstart=session_start, sessionend=session_end
| outputlookup login_sessions.csv

 

---
If this reply helps you, Karma would be appreciated.

mark_cet
Path Finder

Sorry one more question. Can I use a field name in the where command?

| eval search_action="login"

| where action!=search_action

I gave it a try but it doesn't appear to work.

 

Thanks.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the where command supports field names on both sides of the expression (unlike the search command).

---
If this reply helps you, Karma would be appreciated.
0 Karma

mark_cet
Path Finder

My apologies Rich, I am not able to get this to work if I use field names on both sides of the expression in my where command.

Is there a special way to identify that it is a field and not a value?

 

Thanks.

0 Karma

mark_cet
Path Finder

I was not able to get the field names to work in the where command so I had to redo my lookup so I could use static values instead of the field names. The KV Store lookup appears to work much better when removing rows.

 

Thanks anyways.

 

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...