Getting Data In

How to reindex data to get new data with chance being made?

phamxuantung
Communicator

Hello,

I have a DBInput that have a database with a list of user with email and phone number, and people can make change to that DB, which include delete a row. The problem that I encounter is, the data that already indexed retain the deleted row in the DB, and thus the alert still send to that already deleted contact. So I want to find a way to reindex that db on a daily basis and delete the last indexed data.

I have 3 solotions that I think of:

1. Setup an alert that run |delete daily and DBConnect can reindex (but I have to manually set the rising column check point to 0)

2. Batch input them daily and setup my search (it's a join in an alert) to search for -1d since it's not big of a data.

3. Join the table directly within SQL query when I indexing them, that way it'll always have the updated DB (but it'll tank on the DB server side)

Which of these 3 solutions do you think is good? Or can you offer me an alternate, better solutions?

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

can you just add scheduled search which a run a daily base and create a local lookup with it? Then just use that lookup on those alerts and where ever you need it. Basically same than use dblookup, but this don't need a active connection between your database and SH all time, just when that lookup has updated. And when update don't replace old without having a new with lines. Then it is not an big issue if connection fails when lookup has updates (just one day old data).

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...