Splunk Search

Modify lookup cells by search command

ICAP_RND
Engager

I have a lookup called FailuresList
It contains the following fields: date, site, text, excluded
I would like to modify the "excluded" from "No" to "Yes" of keys that their date equals to DateT extracted by the following search

index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N")

How shall I do it?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList
0 Karma

ICAP_RND
Engager

Instead of where discard!="yes" you shall use where isnull(discard)
All the rest was perfectly matching. Thanks!

0 Karma

woodcock
Esteemed Legend

Assuming that the key is AppPID, try this:

index=clientlogs FailedApp= OR "WorkflowServer.CloseApplication pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication pid:" endswith="Application failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | fields AppPID dateT | append [|inputlookup MyLookupName] | stats values(*) AS * by AppPID | eval excluded = if((date=dateT), "Yes", excluded) | fields - dateT | outputlookup MyLookupName
0 Karma

ICAP_RND
Engager

AppPID is not the key, therefore it didn't work for me. Any idea?

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk.

If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG

Please let me know if this answers your question!

0 Karma

muebel
SplunkTrust
SplunkTrust

Is this lookup kvstore of csv based?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...