Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to reindex data to get new data with chance being made?

phamxuantung
Communicator
‎10-04-2022 03:53 AM

Hello,

I have a DBInput that have a database with a list of user with email and phone number, and people can make change to that DB, which include delete a row. The problem that I encounter is, the data that already indexed retain the deleted row in the DB, and thus the alert still send to that already deleted contact. So I want to find a way to reindex that db on a daily basis and delete the last indexed data.

I have 3 solotions that I think of:

1. Setup an alert that run |delete daily and DBConnect can reindex (but I have to manually set the rising column check point to 0)

2. Batch input them daily and setup my search (it's a join in an alert) to search for -1d since it's not big of a data.

3. Join the table directly within SQL query when I indexing them, that way it'll always have the updated DB (but it'll tank on the DB server side)

Which of these 3 solutions do you think is good? Or can you offer me an alternate, better solutions?

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 04:34 AM

Hi

can you just add scheduled search which a run a daily base and create a local lookup with it? Then just use that lookup on those alerts and where ever you need it. Basically same than use dblookup, but this don't need a active connection between your database and SH all time, just when that lookup has updated. And when update don't replace old without having a new with lines. Then it is not an big issue if connection fails when lookup has updates (just one day old data).

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...