Hello All,
I'm having a task to measure the compliancy of Security solution onboarded on the SIEM, that means i have to regularly check if the solution is onboarded by checking if there is any logs generating in a specific index,
For Example my search query will be :
index=EDR
| stats count
| eval status=if((count > "0"),"Compliant","Not Compliant")
| fields -count
Results that i should have:
status |
Compliant |
I have a lookup table called compliance.csv and i need to update the status from "Not Compliant" to "Compliant".
Solution | Status |
EDR | Not Compliant |
DLP | Not Compliant |
how can i utilize outputlookup command to update the table not overwrite or append.
Rather than using the subsearch syntax with append
| append [
| inputlookup ...
]
use the native
| inputlookup append=t
which has no subsearch limitations. You also don't need the redundant fields command as it will be removed with the stats, so
index=EDR
| stats count
| eval Status=if((count > "0"),"Compliant","Not Compliant"), Solution="EDR"
| inputlookup append=t compliance.csv
| stats first(Status) AS Status BY Solution
| outputlookup compliance.csv
Depends on the lookup type. If your lookup is a csv-file based one, you can't update it. The only thing you can do, as was shown by @gcusello , is to overwrite whole lookup with updated contents.
Hi @MoeTaher ,
please try something like this:
index=EDR
| stats count
| eval Status=if((count > "0"),"Compliant","Not Compliant"), Solution="EDR"
| fields -count
| appemd [ | inputlookup compliance.csv | fields Solution Status ]
| stats first(Status) AS Status BY Solution
| outputlookup compliance.csv
Ciao.
Giuseppe
@gcusello has a good solution but mind the typos: (space in fields cmd and "append")
...
| fields - count
| append [ | inputlookup compliance.csv | fields Solution Status ]
...
Hi @MoeTaher ,
yes correct (I'm sorry!):
index=EDR
| stats count
| eval Status=if((count > "0"),"Compliant","Not Compliant"), Solution="EDR"
| fields - count
| append [ | inputlookup compliance.csv | fields Solution Status ]
| stats first(Status) AS Status BY Solution
| outputlookup compliance.csv
Ciao.
Giuseppe