Splunk Search

Modify lookup cells by search command

ICAP_RND
Engager

I have a lookup called FailuresList
It contains the following fields: date, site, text, excluded
I would like to modify the "excluded" from "No" to "Yes" of keys that their date equals to DateT extracted by the following search

index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N")

How shall I do it?

0 Karma
1 Solution

somesoni2
Revered Legend

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

View solution in original post

0 Karma

somesoni2
Revered Legend

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList
0 Karma

ICAP_RND
Engager

Instead of where discard!="yes" you shall use where isnull(discard)
All the rest was perfectly matching. Thanks!

0 Karma

woodcock
Esteemed Legend

Assuming that the key is AppPID, try this:

index=clientlogs FailedApp= OR "WorkflowServer.CloseApplication pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication pid:" endswith="Application failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | fields AppPID dateT | append [|inputlookup MyLookupName] | stats values(*) AS * by AppPID | eval excluded = if((date=dateT), "Yes", excluded) | fields - dateT | outputlookup MyLookupName
0 Karma

ICAP_RND
Engager

AppPID is not the key, therefore it didn't work for me. Any idea?

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk.

If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG

Please let me know if this answers your question!

0 Karma

muebel
SplunkTrust
SplunkTrust

Is this lookup kvstore of csv based?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...