Created
November 18, 2022 03:35
-
-
Save marcusschiesser/6aa832c6bd48173d2aad320f7e76b17e to your computer and use it in GitHub Desktop.
Splunk outputlookup macro that ensure that only x% of a KV store are changed at once
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [outputlookup_guard(2)] | |
| args = name,allowed_changes | |
| definition = eventstats count as new_count\ | |
| | eval old_count=[| inputlookup $name$ | stats count | return $count]\ | |
| | eval max_count=old_count*(1+$allowed_changes$), min_count=old_count/(1+$allowed_changes$)\ | |
| | where new_count>min_count and new_count<max_count\ | |
| | fields - new_count, old_count, min_count, max_count\ | |
| | outputlookup $name$ override_if_empty=false | |
| iseval = 0 | |
| errormsg = 'name' must be a lookup and 'allowed_changes' must be a number between 0 and 1 | |
| validation = isstr($name$) and isnum($allowed_changes$) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Practical if
override_if_empty=falseis not enough 😄Example usage:
| outputlookup_guard(name=mylookup,allowed_changes=0.1)- this is like| outputlookup mylookup, it just ensures that those changes are only applied if the result set size does not differ more than 10%.