Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Update a single field in lookup table from a search

watsm10
Communicator
‎01-07-2013 08:15 AM

Fellow Splunkers,

I've got an automatic lookup table (lookup.csv) which has a field in called Count. Every time my search runs (triggered alert) I'd like the count field to be incremented by 1, so that I can see how many times the alert has been triggered previously and include this in the alert email as a field from the lookup table.

I've tried this, but it hasn't worked for me:
| eval Count=Count+1 | outputlookup Count lookup.csv

Do I need to run a subsearch? I'm not entirely sure how to do it.

How would I go about doing this?

Many thanks.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎01-07-2013 08:27 AM

You're so close!

Begin with | inputlookup lookup.csv then do your | eval | outputlookup. I utilize this method quite frequently to keep CSVs well groomed.

0 Karma
Reply

watsm10
Communicator
‎01-07-2013 09:04 AM

Here is my search:
sourcetype="production_env" | chart eval(round(((count(eval(Status="Error"))/count)*100),2)) as "FailureRate", values(Threshold) as "Threshold", values(AlertStatus) as "AlertStatus", values(FailCount) as "Total Alerts" by ServiceNameLookup | eval AlertStatus = if(FailureRate>Threshold, "Failure rate over ".Threshold."% for the last 15 mins","OK") | rename ServiceNameLookup as "Service Name", FailureRate as "Failure Rate"

It invokes the lookup table with a list of service names and thresholds, then compares the failure rate against the threshold. How would adapt your method?

Reply

sowings
Splunk Employee
Splunk Employee
‎01-07-2013 08:48 AM

If it's part of an alerting search, then I'd say "yes", but to be sure, I'd have to know what the rest of the search is doing.

If the contents of the lookup table drive the alerting search (i.e. you start with |inputlookup then the result set will include count, and you can output that to update the count. But if the count lookup is completely separate from the alerting results, (that is, the lookup contains only the count) you'll have to tweak the search somewhat.

0 Karma
Reply

watsm10
Communicator
‎01-07-2013 08:39 AM

Thanks, so shall I just pipe this onto the end of my search? Or have this as a subsearch which runs and updates it separately?

Many thanks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...