- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Modify lookup cells by search command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup called FailuresList
It contains the following fields: date, site, text, excluded
I would like to modify the "excluded" from "No" to "Yes" of keys that their date equals to DateT extracted by the following search
index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N")
How shall I do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another approach. This is updating exclude="Yes" for every date which are available in the search.
index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes" | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes" |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new | outputlookup FailuresList
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another approach. This is updating exclude="Yes" for every date which are available in the search.
index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" | rex field=Message.Text "pid: (?<AppPID>\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=f | eval date=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | stats count by date | table date | eval exclude_new="Yes" | eval discard="yes" | append [| inputlookup FailuresList] | eventstats values(exclude_new) as exclude_new by date | where discard!="yes" |eval exclude=coalesce(exclude_new,exclude) | fields - exclude_new | outputlookup FailuresList
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of where discard!="yes" you shall use where isnull(discard)
All the rest was perfectly matching. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that the key is AppPID, try this:
index=clientlogs FailedApp= OR "WorkflowServer.CloseApplication pid:" | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication pid:" endswith="Application failed" maxspan=60s mvlist=f | eval dateT=strftime((_time*1000+duration*1000)/1000,"%Y-%m-%d %H:%M:%S.%2N") | fields AppPID dateT | append [|inputlookup MyLookupName] | stats values(*) AS * by AppPID | eval excluded = if((date=dateT), "Yes", excluded) | fields - dateT | outputlookup MyLookupName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AppPID is not the key, therefore it didn't work for me. Any idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ICAP_RND, if this lookup is csv based, the only option is to use inputlookup to pull in the table, use search commands such as eval to adjust the fields as needed, and then outputlookup to rewrite the modified table to disk.
If it is kvstore based, there are rest commands that can be used for pinpoint modification of specific table entries. More information is available here : http://dev.splunk.com/view/SP-CAAAEZG
Please let me know if this answers your question!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this lookup kvstore of csv based?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
