Solved: updating a lookup table by external means

aniketb · ‎07-27-2012

Hi,

I have a lookup table of trusted hosts. This is being used in an alert to match for entries. Since this is a learning phase, I have to keep updating my lookup table of trusted hosts.

If I just delete the .csv file and add a new updated .csv file with same name, will the alert stay unaffected? Or I have to reconfigure the alert after every update to the lookup file? Does any other way exist for this?

hexx · ‎07-27-2012

Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.

View solution in original post

bhupalbobbadi · ‎09-27-2017

I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?

hexx · ‎07-27-2012

Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.

aniketb · ‎07-27-2012

Thanks! I just deleted and replaced the file and still everything runs smoothly!

bhupalbobbadi · ‎09-27-2017

I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?

updating a lookup table by external means

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!