Hi,
I have a lookup table of trusted hosts. This is being used in an alert to match for entries. Since this is a learning phase, I have to keep updating my lookup table of trusted hosts.
If I just delete the .csv file and add a new updated .csv file with same name, will the alert stay unaffected? Or I have to reconfigure the alert after every update to the lookup file? Does any other way exist for this?
Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.
I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?
Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.
Thanks! I just deleted and replaced the file and still everything runs smoothly!
I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?