topic Re: Input Lookup: Compare previous version of input lookup to current version using SPL in Splunk Enterprise Security

Input Lookup: Compare previous version of input lookup to current version using SPL

regarza — Thu, 28 Mar 2024 14:55:13 GMT

Is there currently a capability in Splunk that will allow us search and compare the previous version of an input lookup to the current version of the input lookup to identify what has changed between the two? In search is there a parameter we can pass the input lookup command to specify the version what we want to evaluate?

Re: Input Lookup: Compare previous version of input lookup to current version using SPL

ITWhisperer — Thu, 28 Mar 2024 15:31:49 GMT

The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essentially, Splunk can only find information that you choose to keep.

Re: Input Lookup: Compare previous version of input lookup to current version using SPL

regarza — Thu, 28 Mar 2024 18:28:22 GMT

Thanks for commenting on my scenario, that is the same conclusion that I came to, but was hoping to find a way around it.

Re: Input Lookup: Compare previous version of input lookup to current version using SPL

PickleRick — Sat, 30 Mar 2024 09:08:53 GMT

Another walkaround is to collect the lookup data to an index before overwriting it with another "release". Then you can do a normal search against your indexed data.