Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Update CSV values without ovewriting old ones

Sasquatchatmars
Communicator
‎09-28-2020 06:16 AM

Hi, 

I am trying to make a CSV table with users that have logged in the system. The CSV file contains a field "Time" and "Username".

1. Time = Last log in time of the user.

2. Username = The user that logged in.

The goal is the update the last log in time of each user without deleting the other ones. This is what happens now. 

Let's say the first input corresponds to the next example.

 

      Time       |        Username
   1601251200            User_Alpha
   1601254800            User_Bravo
                         User_Charlie
   1601265600            User_Delta

 

 What happens sometimes is that when I'm searching for new entries, it doesn't find log in timestamp for a user so it is left blank like this. 

 

      Time       |        Username
                         User_Alpha
                         User_Bravo
    1601272800           User_Charlie
    1601280000           User_Delta

 

The output that I would like is this 

 

      Time       |        Username
    1601251200           User_Alpha
    1601254800           User_Bravo
    1601272800           User_Charlie
    1601280000           User_Delta

 

Basically, what happened in the last example, it kept the content of example one and added the content of example 2. It updated the last login time from "User_Delta" with the last known log in time. 

I'm getting stuck at this level. Can anyone help me to find out how i do this? My whole search works, except for this part. 

Thanks anyway! 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 07:54 AM

Hi @Sasquatchatmars,

there's an error in your search: you have two names for the Time field before the second stats (Time and Lates), you should have the same field name:

index="wineventlog" source="WinEventLog:Security" action=success EventCode=4624 user=* 
| stats max(_time) as Latest by user 
| append [| inputlookup account_status_tracker | fields Latest user]
| stats max(Latest) as "Latest" by user
| table Latest user
| outputlookup account_status_tracker

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Sasquatchatmars
Communicator
‎09-28-2020 06:35 AM

Hello! Thank you for your reply, I tried what you said but it still overwrites the record with the latest results. For example, if a field in my file contains a result it overwrites it with a blank value if it didn't find anything. Even with the "override_if_empty=false" parameter set

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 06:43 AM

Hi @Sasquatchatmars,

let me understand, maybe I'm wrong:

  • you want to store in a lookup all the Usernames that you find in the main search and the ones there are already stored in the lookup,
  • Time must be the latest between search and lookup,
  • if not present in search, it takes the lookup one;

is it correct?

Could you share the search you're using?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Sasquatchatmars
Communicator
‎09-28-2020 06:47 AM

Hi @gcusello,

Indeed that is correct. 

index="wineventlog" source="WinEventLog:Security" action=success EventCode=4624 user=* 
| stats max(_time) as Time by user 
| append [| inputlookup account_status_tracker | fields Latest user]
| stats max(Time) as "Latest" by user
| table Latest user
| outputlookup account_status_tracker

This is the search I am using

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 07:54 AM

Hi @Sasquatchatmars,

there's an error in your search: you have two names for the Time field before the second stats (Time and Lates), you should have the same field name:

index="wineventlog" source="WinEventLog:Security" action=success EventCode=4624 user=* 
| stats max(_time) as Latest by user 
| append [| inputlookup account_status_tracker | fields Latest user]
| stats max(Latest) as "Latest" by user
| table Latest user
| outputlookup account_status_tracker

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Sasquatchatmars
Communicator
‎09-28-2020 08:06 AM

hi @gcusello 

This seems to be working! Thank you very much! I am going to test this in the couple of days. If there is anything wrong I'll come back. 

Have a good day,

Sasquatchatmars

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 08:10 AM

Hi @Sasquatchatmars,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 06:25 AM

Hi @Sasquatchatmars,

you have to take records both from main search and lookup, something like this (I think that Username is a field both of the main search and lookup and Time is expressed in epochtime format, if not you have to rename one field and/or change format):

your_search
| rename _time AS Time
| append [ | inputlookup your_lookup.csv | fields Time Username ]
| stats latest(Time) AS Time BY Username
| table Time Username
| outputlookup your_lookup.csv

In this way you have the updated vale from the search and the old values from the lookup and the search takes the latest value.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...