Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help in append

srinivasgowda
Explorer
‎03-05-2021 12:02 AM

Hello all,

 

I am facing an issue in appending an query. Here my objective is to update the kv store with the list of servers, alert_flag(if the alert has been raised) and count(number of times the server has created an event). Below is the query that I have used.

 

index= index
| lookup source_host_kvstore_001 source_host OUTPUT source_host as temp_source_host count alert_flag| dedup source_host
| eval count=if(isnull(count),0,count)| eval count = count+1
| eval alert_flag = if(isnull(alert_flag),0,if((alert_flag=1),1,0))
| eval _time=now()
| table _time source_host alert_flag count | sort -_time
| outputlookup source_host_kvstore_001 append=true

When the above is ran everytime the same host is updated and also added in the new row, however, I need a single update of the count and alert_flag for a host. The data is pushed to the kv store as below by a new increase in the count.

 

_time             alert_flag            count           source_host
2021-03-05 13:01:50      0         1          Server 1
2021-03-05 13:01:50      0         1          Server 2
2021-03-05 13:01:50      0         1          Server 3
2021-03-05 13:01:53      0         2          Server 1
2021-03-05 13:01:53      0         2          Server 2
2021-03-05 13:01:53      0         2          Server 3

 

However, I am looking for the data to be updated in the KV store like below.

_time             alert_flag            count           source_host
2021-03-05 13:01:53      0         2          Server 1
2021-03-05 13:01:53      0         2          Server 2
2021-03-05 13:01:53      0         2          Server 3

 

Please guide me through this.

 

Regards

Labels (1)
Labels
Tags (3)
0 Karma
Reply

srinivasgowda
Explorer
‎03-05-2021 12:35 AM

Hello @manjunathmeti ,

Thanks for the quick response. This is still giving the same result by adding new rows for the same source_host in the kvstore. I am looking to have a singe row for each source_host and just the count to increase everytime there is an event from the source_host.

 

Regards

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 12:36 AM

You need to use append=false

0 Karma
Reply

srinivasgowda
Explorer
‎03-05-2021 03:05 AM

This will update the count for the source_host, however, if a new source_host come in then the existing data in the kvstore would be deleted.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 03:16 AM

Can you append / union the current contents of the store so your search includes everything you want before you output it?

0 Karma
Reply

srinivasgowda
Explorer
‎03-05-2021 03:19 AM

Yes, append=false works as long as the same set of source_host is repeated in every run, but if in a run there is events from just 1 source_host then the remaining in the kvstore would be deleted updating just the one that was currently present.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 03:35 AM

Exactly, so use inputlookup as part of the search to append or union the current contents of the keystore

0 Karma
Reply

srinivasgowda
Explorer
‎03-05-2021 03:40 AM

inputlookup does not work after using outputlookup.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 04:32 AM

Use inputlookup (to get current contents) before outputlookup (to write full set)

0 Karma
Reply

manjunathmeti
Champion
‎03-05-2021 12:28 AM

hi @srinivasgowda,

Use stats with latest function to get latest values by source_host.

index= index
| lookup source_host_kvstore_001 source_host OUTPUT source_host as temp_source_host count alert_flag
| eval count=if(isnull(count),1,count+1)
| eval alert_flag = if(isnull(alert_flag),0,if((alert_flag=1),1,0))
| eval _time=now()
| fields _time source_host alert_flag count 
| stats latest(_time) as _time latest(*) as * by source_host
| outputlookup source_host_kvstore_001 append=true
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...