Add field to message using SPL request?

metylkinandrey · ‎10-20-2022

Good afternoon!
I have a request based on which I create an aller:

index="main" sourcetype="testsystem-script707"
| eval srcMsgId_Исх_Сообщения=if(len('Correlation_srcMsgId')==0 OR isnull('Correlation_srcMsgId'),'srcMsgId','Correlation_srcMsgId')
| eventstats count as Message_Number by srcMsgId_Исх_Сообщения
| rex field=routepointID "^(?<Routepoint_ID_num>\d+)\."
| sort routepointID
| eventstats first(Routepoint_ID_num) as RouteID by srcMsgId_Исх_Сообщения
| sort _time
| eventstats first(_time) as MessageTime by srcMsgId_Исх_Сообщения
| eval Time_Now=now()
| eval diff_time=Time_Now-MessageTime
| where RouteID!=1 AND diff_time>15

But the alert is constantly triggering trigger on old message threads that match the conditions of the query above.
I would like to get rid of triggers on old chains by adding fields to messages: alert=true or alert=0. Accordingly, I would add an additional condition to my request: work only when: alert=0.
Tell me how to do it?

richgalloway · ‎10-20-2022

If by "adding fields to messages" you mean you want to change indexed events then know that is not possible. Indexed data cannot be changed in any way.

If the alert cannot be changed to avoid false positives then you'll have to track which messages have been alerted separately, perhaps in a KVstore lookup.

---
If this reply helps you, Karma would be appreciated.

metylkinandrey · ‎10-21-2022

Tell me how to search in KVstore?
I tried like this:
| stats list(_key) as key
But, this field is empty.

richgalloway · ‎10-21-2022

The stats command by itself won't search anything. If you've already read the KVstore collection using inputlookup then that stats command should list all available keys. If it still doesn't work then try assigning _key to a new field.

| inputlookup mykvstorelookup
| eval key=_key
| stats list(key) as key

To learn more about the KVstore, see https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/AboutKVstore

To learn more about using the KVstore, see https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/uselookupswithkvstore/

---
If this reply helps you, Karma would be appreciated.

metylkinandrey · ‎10-21-2022

Tell me, is this not the answer to my question?

Found a solution from one of the forum members:

"I found a way to "edit" the events through modifying the _raw field - I agree it's not an elegant at all, but it works and, which is more important, the bosses are happy":

index=[index_name] | ...
| eval _raw = replace(_raw,"severity_id=\"".$severity_id$."\"", "severity_id=\"".$new_severity_id$."\"") 
| table _time, _raw
| collect index=[index_name]

richgalloway · ‎10-21-2022

If that works for you then, yes, it is a solution. Be aware that you are not *editing* the event. You are creating a new event that is a close copy of the current event. There are considerations, too. First, every event so collected counts against your license quota. Second, you're duplicating events, which may have implications for other queries that process the data.

---
If this reply helps you, Karma would be appreciated.

metylkinandrey · ‎10-21-2022

Thank you, could you describe this case in more detail?

Add field to message using SPL request?

other

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability