Alerting

updating a lookup table by external means

aniketb
Path Finder

Hi,

I have a lookup table of trusted hosts. This is being used in an alert to match for entries. Since this is a learning phase, I have to keep updating my lookup table of trusted hosts.

If I just delete the .csv file and add a new updated .csv file with same name, will the alert stay unaffected? Or I have to reconfigure the alert after every update to the lookup file? Does any other way exist for this?

Tags (3)
1 Solution

hexx
Splunk Employee
Splunk Employee

Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.

View solution in original post

bhupalbobbadi
Path Finder

I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?

0 Karma

hexx
Splunk Employee
Splunk Employee

Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.

aniketb
Path Finder

Thanks! I just deleted and replaced the file and still everything runs smoothly!

0 Karma

bhupalbobbadi
Path Finder

I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...