Splunk Search

If I use an automatic lookup to overwrite field values, can it be configured to overwrite only if a match exists?

andrewtrobec
Motivator

Hello all,
The question is self explanatory I think. I've seen similar questions that are resolved with an eval, but in my case I'm trying to make everything automatic. Since the sequence of search-time operations dictates that lookups are after calculated fields, there is no way to automatically run the eval to either validate with an if statement or coalesce. This is why I'm hoping there is a way during an automatic lookup to leave an existing value if there is no match instead of replacing with null.
Is this possible?
Thank you and best regards,
Andrew

0 Karma

JimGat
New Member

You need to use an eval after the lookup making sure that the lookup fields are a different name.    I have an example of that for an automated identity population for Enterprise Security where I created an override lookup after the LDAP query.  Here is just the lookup and eval.  

`comment("Override priority and category Values if in es_identity_override.csv")`
| lookup es_identity_override.csv identity as sAMAccountName OUTPUT category as OVcategory priority as OVpriority bunit as OVbunit
| eval category=if(isnull(OVcategory), category, OVcategory)
| eval priority=if(isnull(OVpriority), priority, OVpriority)
| eval bunit=if(isnull(OVbunit), bunit, OVbunit)
0 Karma

starcher
SplunkTrust
SplunkTrust

outputnew instead of output

0 Karma

andrewtrobec
Motivator

@starcher Thanks for the suggestion

AFAIK the OUTPUTNEW command will only fill in NULL values. What I'm trying to do is overwrite existing values. Am I understanding correctly?

0 Karma

starcher
SplunkTrust
SplunkTrust

I misread the issue. Yeah you have output which overwrites or outputnew only if it's not already there. So the command by itself won't solve that.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...