cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sfurkan
Explorer
Member since: ‎02-08-2021
‎04-05-2021
Community Statistics
Posts 6
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎02-08-2021
Activity Feed
View All

Re: delete rows from lookup

by SplunkTrust in Alerting
‎04-02-2021 01:22 AM
2 Karma
‎04-02-2021 01:22 AM
2 Karma
Hi @sfurkan, You can use below sample query. I assume your user.csv has user field. | inputlookup user.csv | search NOT [ 'your search that outputs deleted_user field from 4733 events' | rename deleted_user as user | fields user] | outputlookup user.csv   ... View more

Re: add field to lookup

by in Alerting
‎03-22-2021 06:55 AM
‎03-22-2021 06:55 AM
Hi @sfurkan, you have to update the timestamp in a lookup with two columns: host last connection, when a condition is trggered, you could run something like this: index=your_index your_condition | eval host=lower(host) | stats latest(_time) AS latest BY host | append [ | inputlookup | eval host=lower(host) | fields host latest ] | stats max(latest) As latest By host | outputlookup your_lookup In other words, you have to take the values from the search and from the lookup modifying only the values from the main search and savinf the results in the loolup. If you could share your alert's search and the fields of your lookup I could be more precise Ciao. Giuseppe ... View more

Re: csv file exclude

by SplunkTrust in Splunk Search
‎02-09-2021 01:32 AM
‎02-09-2021 01:32 AM
I noticed and fixed my query after posting. I think you read before my edit. Please check my reply again. I changed it to src_user. It will compare user field in csv with src_user in events. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-05-2021 12:37 PM
Karma given to
View All