Splunk Search

outputlookup append one field but not another

daniel_althoff8
Loves-to-Learn

I am trying to write a search that will update a lookup asset table, with an additional table column metric (weight1). However, I want to be able to append the asset column, without the 2nd column being appended.

Is this possible? 

example:

 

 

index=* host=* | table host weight1| dedup host | rename host AS asset| outputlookup append=false asset_score.csv

 

 

 This will run as a saved search to update the lookup table periodically.

However, if I modify the "weight1" column values in lookupeditor, the changes get wiped out whenever the above saved search runs. 

Any suggestions? 

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The outputlookup command replaces the entire lookup file, unless you the append=true option.

To replace parts of the lookup, you have to read in the lookup file, make the changes using SPL, and then write the lookup.  That looks like this:

| inputlookup asset_score.csv
| append [ search index=* host=* 
  | table host weight1 ]
| dedup host 
| rename host AS asset
| outputlookup append=false asset_score.csv

This query should retain rows from the lookup file while adding new hosts from the search.

---
If this reply helps you, Karma would be appreciated.

daniel_althoff8
Loves-to-Learn

The above suggestion still wipes out the "weight1" values from the lookup editor every time that search is ran. 

The goal is this---

Create a search that creates a lookup table of all hosts in the environment, and assign a value to each host. The search will run on a schedule so that any time a new host is created, the lookup table gets populated with that new host/ asset. 

I want to assign a # value (that can be edited) to each host in the lookup table, that can be used and queried against for other metrics later on. 

So the search needs to populate just the "asset" column, but not modify the "weight" column everytime the search is ran. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Let's try something a little different.

 

| inputlookup asset_score.csv
| append [ search index=* host=* 
  | eval weight1 = 0
  | table host weight1 ]
| sort - host weight1
| dedup host 
| rename host AS asset
| outputlookup append=false asset_score.csv

 

After the sort we should have a list of hosts and weights.

 

foo     10
foo     0
bar     5
bar     0
baz     0

 

Dedup will yield the unique host names, along with their associated weights.

foo     10
bar     5
baz     0
---
If this reply helps you, Karma would be appreciated.
0 Karma

daniel_althoff8
Loves-to-Learn

Unfortunately, I am still getting the same issue. Where every time the search is ran, now the eval stanza forces the weight back to 0. 

 

I need to be able to edit the lookup table, but when the search runs, my edits wont change. 

 

The goal is to run a saved search to automatically add any new host (and not duplicate the host list) to the lookup table list with a default weight value, and then modify the weight values manually, but not have them revert back to the default weight value. 

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...