Splunk Search

Updating one Field in a lookup table

MoeTaher
New Member

Hello All, 

I'm having a task to measure the compliancy of Security solution onboarded on the SIEM, that means i have to regularly check if the solution is onboarded by checking if there is any logs generating in a specific index, 

For Example my search query will be :

index=EDR
| stats count
| eval status=if((count > "0"),"Compliant","Not Compliant")
| fields -count

Results that i should have:

status
Compliant

 

I have a lookup table called compliance.csv and i need to update the status from "Not Compliant" to "Compliant". 

Solution Status
EDR Not Compliant
DLP Not Compliant

 

how can i utilize outputlookup command to update the table not overwrite or append. 

 

 

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Rather than using the subsearch syntax with append

| append [ 
  | inputlookup ...
]

use the native

| inputlookup append=t

which has no subsearch limitations. You also don't need the redundant fields command as it will be removed with the stats, so 

index=EDR
| stats count
| eval Status=if((count > "0"),"Compliant","Not Compliant"), Solution="EDR"
| inputlookup append=t compliance.csv
| stats first(Status) AS Status BY Solution
| outputlookup compliance.csv

 

PickleRick
SplunkTrust
SplunkTrust

Depends on the lookup type. If your lookup is a csv-file based one, you can't update it. The only thing you can do, as was shown by @gcusello , is to overwrite whole lookup with updated contents.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MoeTaher ,

please try something like this:

index=EDR
| stats count
| eval Status=if((count > "0"),"Compliant","Not Compliant"), Solution="EDR"
| fields -count
| appemd [ | inputlookup compliance.csv | fields Solution Status ]
| stats first(Status) AS Status BY Solution
| outputlookup compliance.csv

Ciao.

Giuseppe

marnall
Motivator

@gcusello has a good solution but mind the typos: (space in fields cmd and "append")

...
| fields - count
| append [ | inputlookup compliance.csv | fields Solution Status ]
...

 

gcusello
SplunkTrust
SplunkTrust

Hi @MoeTaher ,

yes correct (I'm sorry!):

index=EDR
| stats count
| eval Status=if((count > "0"),"Compliant","Not Compliant"), Solution="EDR"
| fields - count
| append [ | inputlookup compliance.csv | fields Solution Status ]
| stats first(Status) AS Status BY Solution
| outputlookup compliance.csv

 Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...