https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-monitor-changes-in-kv-store-lookups/m-p/466380#M6972 <P>Hello everyone</P> <P>I have following problem:<BR /> I have set disabled flag in ip_intel by following query:<BR /> | inputlookup ip_intel where _key="js.arcgis.com"<BR /> | eval disabled="1"<BR /> | outputlookup append=true ip_intel</P> <P>After some time I discovered that disabled field value disappeared.</P> <P>My question how I can monitor when and why value isn't anymore in its place.<BR /> I thought about using internal indexes.</P> Wed, 30 Sep 2020 04:52:01 GMT d4wc3k 2020-09-30T04:52:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-monitor-changes-in-kv-store-lookups/m-p/466380#M6972 <P>Hello everyone</P> <P>I have following problem:<BR /> I have set disabled flag in ip_intel by following query:<BR /> | inputlookup ip_intel where _key="js.arcgis.com"<BR /> | eval disabled="1"<BR /> | outputlookup append=true ip_intel</P> <P>After some time I discovered that disabled field value disappeared.</P> <P>My question how I can monitor when and why value isn't anymore in its place.<BR /> I thought about using internal indexes.</P> Wed, 30 Sep 2020 04:52:01 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-monitor-changes-in-kv-store-lookups/m-p/466380#M6972 d4wc3k 2020-09-30T04:52:01Z