I am trying to write a search that will update a lookup asset table, with an additional table column metric (weight1). However, I want to be able to append the asset column, without the 2nd column being appended.
Is this possible?
example:
index=* host=* | table host weight1| dedup host | rename host AS asset| outputlookup append=false asset_score.csv
This will run as a saved search to update the lookup table periodically.
However, if I modify the "weight1" column values in lookupeditor, the changes get wiped out whenever the above saved search runs.
Any suggestions?
The outputlookup command replaces the entire lookup file, unless you the append=true option.
To replace parts of the lookup, you have to read in the lookup file, make the changes using SPL, and then write the lookup. That looks like this:
| inputlookup asset_score.csv
| append [ search index=* host=*
| table host weight1 ]
| dedup host
| rename host AS asset
| outputlookup append=false asset_score.csv
This query should retain rows from the lookup file while adding new hosts from the search.
The above suggestion still wipes out the "weight1" values from the lookup editor every time that search is ran.
The goal is this---
Create a search that creates a lookup table of all hosts in the environment, and assign a value to each host. The search will run on a schedule so that any time a new host is created, the lookup table gets populated with that new host/ asset.
I want to assign a # value (that can be edited) to each host in the lookup table, that can be used and queried against for other metrics later on.
So the search needs to populate just the "asset" column, but not modify the "weight" column everytime the search is ran.
Let's try something a little different.
| inputlookup asset_score.csv
| append [ search index=* host=*
| eval weight1 = 0
| table host weight1 ]
| sort - host weight1
| dedup host
| rename host AS asset
| outputlookup append=false asset_score.csv
After the sort we should have a list of hosts and weights.
foo 10
foo 0
bar 5
bar 0
baz 0
Dedup will yield the unique host names, along with their associated weights.
foo 10
bar 5
baz 0
Unfortunately, I am still getting the same issue. Where every time the search is ran, now the eval stanza forces the weight back to 0.
I need to be able to edit the lookup table, but when the search runs, my edits wont change.
The goal is to run a saved search to automatically add any new host (and not duplicate the host list) to the lookup table list with a default weight value, and then modify the weight values manually, but not have them revert back to the default weight value.