Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

lookup table field update

raomu
Explorer
‎01-22-2018 11:35 PM

Hello,

I have a lookup with 3 fields "Hostname" "IP" "Status" ( Status is by default set with the value "Non-Active")

Hostname IP Status
AA 10.x.x.x Non-Active

BB 10.x.x.x Non-Active

CC 10.x.x.x Non-Active

Now I did a search using lookup to find what all servers are currently reporting to Splunk :

Result :

Host reporting to Spunk

AA

CC

Based on the result I want to update the value of field (Status as "Active") in existing lookup

So the result I am expecting :

lookup table looks now :

Hostname IP Status
AA 10.x.x.x Active

BB 10.x.x.x Non-Active

CC 10.x.x.x Active

Tags (1)
0 Karma
Reply

valiquet
Contributor
‎03-09-2018 03:51 AM

|eval Status=Active | join type=left [|inputlookup table] |outputlookup

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...