Solved: Re: Modify lookup cells by search command

ICAP_RND · ‎02-21-2017

I have a lookup called FailuresList
It contains the following fields: date, site, text, excluded
I would like to modify the "excluded" from "No" to "Yes" of keys that their date equals to DateT extracted by the following search

index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N")

How shall I do it?

somesoni2 · ‎02-21-2017

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

View solution in original post

somesoni2 · ‎02-21-2017

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

ICAP_RND · ‎02-21-2017

Instead of where discard!="yes" you shall use where isnull(discard)
All the rest was perfectly matching. Thanks!

woodcock · ‎02-21-2017

Assuming that the key is AppPID, try this:

index=clientlogs FailedApp= OR "WorkflowServer.CloseApplication pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication pid:" endswith="Application failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | fields AppPID dateT | append [|inputlookup MyLookupName] | stats values(*) AS * by AppPID | eval excluded = if((date=dateT), "Yes", excluded) | fields - dateT | outputlookup MyLookupName

ICAP_RND · ‎02-21-2017

AppPID is not the key, therefore it didn't work for me. Any idea?

muebel · ‎02-21-2017

Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk.

If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG

Please let me know if this answers your question!

muebel · ‎02-21-2017

Is this lookup kvstore of csv based?

Modify lookup cells by search command

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services