Replacing values in a column in a lookup table wit...

loki · ‎11-01-2022

Hi,

I have been tasked to design an alert to trigger whenever there is a modification of the "search query" of an alert. To achieve this, I have decided to use the following approach:
1.compute the hash value of the search 2.create a lookup table (say, search_hash.csv) 3.and then compute the hash of the search (say every 24hr) 4.and now compare the computed hash against the already existing hash in the lookuptable 5.and if there is a difference, then REPLACE the value in the original lookup file search_hash.csv. with the dynamically computed value.

I have been able to reach step 4, but stuck at STEP 5. Please can some help me how I can achieve the last step of DYNAMICALLY REPLACING VALUES OF A LOOKUP WITH SEARCH RESULTS.?

richgalloway · ‎11-01-2022

You can't replace individual values of a lookup file. You have to re-write the whole thing.

| inputlookup mylookup.csv
```make some changes```
| outputlookup mylookup.csv

An alternative is to use a KVstore collection for the hashes. Those can be updated individually.

---
If this reply helps you, Karma would be appreciated.

Replacing values in a column in a lookup table with the results from a search query?

field extraction

join

lookup

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?