Solved: How to add additional columns?

Miky · ‎08-02-2022

Hi folks,

Just started using splunk lately and I'm stuck with this alert that I want to create, I've been told to add priority ( P1,P2,P3 column) and job alias from pw_job_mopping lookup be added to this alert that already exist as additional columns.

Any help will be appreciated 🙏.

gcusello · ‎08-03-2022

Hi,

your request is just a little vague, could your share your search and the fields of your lookup?

Anyway, If in the lookup you have at least two columns: one is the "priority" and one is the "job", you could create something like @martinpu hinted:

your_search
| lookup pw_job_mopping.csv job OUTPUT priority
| table _time job priority

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-03-2022

Hi,

your request is just a little vague, could your share your search and the fields of your lookup?

Anyway, If in the lookup you have at least two columns: one is the "priority" and one is the "job", you could create something like @martinpu hinted:

your_search
| lookup pw_job_mopping.csv job OUTPUT priority
| table _time job priority

Ciao.

Giuseppe

Miky · ‎08-03-2022

gcusello it works, the problem is that I'm getting only priority1 not priority2 and priority3.

Just to be specific, under priority field I have 1,2,and3, but I'm getting only priority1.

gcusello · ‎08-12-2022

Hi @Miky,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Miky · ‎08-03-2022

Thanks,

martinpu · ‎08-03-2022

index=A sourcetype=B source=C
| rename queue as Queue
| lookup local=true pw_map.csv Queue
| where queue_disabled!="Y"
| eval queue_depth_threshold=mvdedup(queue_depth_threshold)
| eval over_threshold=if(curdepth>queue_depth_threshold,1,0)
| stats latest(curdepth) as curdepth first(curdepth) as firstCur count as event_count sum(over_threshold)
as over_threshold latest(avg_queue_depth) as avg_queue_depth latest(Priority) as Priority latest(Owner)
as queue_owner latest(queue_depth_threshold) as queue_depth_threshold latest(Team) as Team
latest(mt_impact) as mt_impact latest(mt_impact_desc) as mt_impact_desc latest(mt_impact_priority) as
mt_impact_priority latest(functional_impact) as functional_impact by Queue hostname
| where over_threshold>=3 AND curdepth>queue_depth_threshold
| eval Status=case((curdepth-firstCur)>0, "Queue Depth Increasing", (curdepth-firstCur)<0, "Queue Depth
Decreasing", (curdepth-firstCur)=0, "Queue Depth Stagnant")
| where Status!="Queue Depth Decreasing"
| lookup local=true pw_map.csv Queue

If you add that lookup to the end, does that solve your issue?

It matches Queue from lookup to Queue from results and outputs all fields from the lookup

Miky · ‎08-03-2022

It gives Error in lookup command: can not find the source field 'job' in the lookup table 'pw_job_map.csv.

martinpu · ‎08-03-2022

Are there any fields in your lookup that match a field in the result table?

martinpu · ‎08-02-2022

add this to your query:

| lookup your_lookup_file.csv pw_job_mopping

this command assumes pw_job_mopping exists in both the lookup and your query and looks up identical values to enrich with all fields in the lookup

If you only want the priority field add outputnew priority_field as priority to the end of that line

This page has additional documentation on the lookup command:
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Lookup

How to add additional columns?

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases