Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Update kvstore

javier_reina
Explorer
‎05-11-2021 12:49 AM

Good morning,

We are trying to use a kvstore to store data when performing a query to later query it in a dashboard.

The kvstore has the following data:

Subcontrols | Value1 | Value2
1.1                    | 100       | 99
1.2                    | 200       | 80
1.3                    |99           | 98

Reviewing the documentation and following the examples we can enter a number manually in the query and change the value using a | eval :

| inputlookup ciskvstore | eval key=_key | where SubControls="1.1" | eval Value2=526 | outputlookup ciskvstore append=True

And the result would be the following:

Subcontrols | Value1 | Value2
1.1                    | 100       | 526
1.2                    | 200       | 80
1.3                    |99           | 98

 

The problem appears when we try to update the Value2 field of a Subcontrol from another query:

EX:

| inputlookup ciskvstore append=true | where SubControls="1.1" | append [| search index=paloalto sourcetype="pan:threat" | stats count as Value2 ] | outputlookup ciskvstore append=true

The result in the kvstore would be the following:

Subcontrols | Value1 | Value2
1.1                    | 100       | 526
1.2                    | 200       | 80
1.3                    |99           | 98
                                            | 396


Could someone help me and tell me how to correctly perform the query so that from another query I can write the Value2 field of a specific Subcontrol please?

 

Thank you very much in advance,

Labels (2)
Labels
0 Karma
Reply

javier_reina
Explorer
‎06-04-2021 12:32 AM

 

Good morning @kamlesh_vaghela 

In a kv store we have 3 columns: Subcontrol, Value1 and Value2.

We are trying to calculate the percentage of Value1 and Value2 for each of the rows with a | eval and that creates new fields with the percentage, for example:

 

javier_reina_0-1622791933341.png

 

 

Expected result:

Subcontrol1%=0
Subcontrol2%=0
Subcontrol3%=100

 

Do you know how to perform the query to get the percentages in a new field for each row?


Greetings and thank you very much in advance.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-04-2021 01:04 AM

@javier_reina 

Have you tried eval ?

| eval percentage = round((value1/value2)*100)

 

KV 

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-11-2021 01:58 AM

@javier_reina 

 

Can you please try this?

index=paloalto sourcetype="pan:threat" 
| stats count as Value2
| appendcols [| inputlookup ciskvstore 
| eval key=_key 
| where SubControls="1.1"] | outputlookup ciskvstore append=true key_field=key
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...