Splunk Search

Modify lookup cells by search command

Engager

I have a lookup called FailuresList
It contains the following fields: date, site, text, excluded
I would like to modify the "excluded" from "No" to "Yes" of keys that their date equals to DateT extracted by the following search

index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N")

How shall I do it?

0 Karma
1 Solution

Revered Legend

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

View solution in original post

0 Karma

Revered Legend

Another approach. This is updating exclude="Yes" for every date which are available in the search.

index=clientlogs  FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s  mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes"  | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes"  |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new |    outputlookup FailuresList

View solution in original post

0 Karma

Engager

Instead of where discard!="yes" you shall use where isnull(discard)
All the rest was perfectly matching. Thanks!

0 Karma

Esteemed Legend

Assuming that the key is AppPID, try this:

index=clientlogs FailedApp= OR "WorkflowServer.CloseApplication pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication pid:" endswith="Application failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | fields AppPID dateT | append [|inputlookup MyLookupName] | stats values(*) AS * by AppPID | eval excluded = if((date=dateT), "Yes", excluded) | fields - dateT | outputlookup MyLookupName
0 Karma

Engager

AppPID is not the key, therefore it didn't work for me. Any idea?

0 Karma

SplunkTrust
SplunkTrust

Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk.

If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG

Please let me know if this answers your question!

0 Karma

SplunkTrust
SplunkTrust

Is this lookup kvstore of csv based?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!