Splunk Search

Need help in append

srinivasgowda
Explorer

Hello all,

 

I am facing an issue in appending an query. Here my objective is to update the kv store with the list of servers, alert_flag(if the alert has been raised) and count(number of times the server has created an event). Below is the query that I have used.

 

index= index
| lookup source_host_kvstore_001 source_host OUTPUT source_host as temp_source_host count alert_flag| dedup source_host
| eval count=if(isnull(count),0,count)| eval count = count+1
| eval alert_flag = if(isnull(alert_flag),0,if((alert_flag=1),1,0))
| eval _time=now()
| table _time source_host alert_flag count | sort -_time
| outputlookup source_host_kvstore_001 append=true

When the above is ran everytime the same host is updated and also added in the new row, however, I need a single update of the count and alert_flag for a host. The data is pushed to the kv store as below by a new increase in the count.

 

_time             alert_flag            count           source_host
2021-03-05 13:01:50      0         1          Server 1
2021-03-05 13:01:50      0         1          Server 2
2021-03-05 13:01:50      0         1          Server 3
2021-03-05 13:01:53      0         2          Server 1
2021-03-05 13:01:53      0         2          Server 2
2021-03-05 13:01:53      0         2          Server 3

 

However, I am looking for the data to be updated in the KV store like below.

_time             alert_flag            count           source_host
2021-03-05 13:01:53      0         2          Server 1
2021-03-05 13:01:53      0         2          Server 2
2021-03-05 13:01:53      0         2          Server 3

 

Please guide me through this.

 

Regards

Labels (1)
Tags (3)
0 Karma

srinivasgowda
Explorer

Hello @manjunathmeti ,

Thanks for the quick response. This is still giving the same result by adding new rows for the same source_host in the kvstore. I am looking to have a singe row for each source_host and just the count to increase everytime there is an event from the source_host.

 

Regards

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need to use append=false

0 Karma

srinivasgowda
Explorer

This will update the count for the source_host, however, if a new source_host come in then the existing data in the kvstore would be deleted.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you append / union the current contents of the store so your search includes everything you want before you output it?

0 Karma

srinivasgowda
Explorer

Yes, append=false works as long as the same set of source_host is repeated in every run, but if in a run there is events from just 1 source_host then the remaining in the kvstore would be deleted updating just the one that was currently present.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Exactly, so use inputlookup as part of the search to append or union the current contents of the keystore

0 Karma

srinivasgowda
Explorer

inputlookup does not work after using outputlookup.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use inputlookup (to get current contents) before outputlookup (to write full set)

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @srinivasgowda,

Use stats with latest function to get latest values by source_host.

index= index
| lookup source_host_kvstore_001 source_host OUTPUT source_host as temp_source_host count alert_flag
| eval count=if(isnull(count),1,count+1)
| eval alert_flag = if(isnull(alert_flag),0,if((alert_flag=1),1,0))
| eval _time=now()
| fields _time source_host alert_flag count 
| stats latest(_time) as _time latest(*) as * by source_host
| outputlookup source_host_kvstore_001 append=true
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...