Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you manage several look-ups reviews?

AntoineDRN
Path Finder
‎12-06-2022 08:08 AM

Hello Splunkers, 

 

I come to you in order to gather some tips and tricks around look-ups management.

For example, I have several look-ups used to whitelist some machine, and after a time a part of these machine aren't used anymore. I bet we are not the only one to face this, so I was wondering, how you manage the review and update of these? 

I first had the idea to use the [fschange] stanza on ours to get mofications (with time information and details about the change Add/Delete/Edit). But i also saw that is was deprecated. Is it still a good thing to use in order to manage our look-ups? Is there something that replace this stanza? Because I unfortunately have not found anything. 

I also thought adding columns to have the "Creation date"/"Modification date"/"Too old" or stuff like that for each row. Is that a good enought workaround?

 

Thanks for your tips! 🙂

Happy Splunking,

A-D

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Atriarc
SplunkTrust
SplunkTrust
‎12-06-2022 08:54 AM

I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup. 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-06-2022 09:01 AM

Hi @AntoineDRN,

I'd create a scheduled search that checks the missing machines, so you can update your lookup when in the results there's a deprecated machine.

Or otherwise (I don't like it) you could also automatically update your lookup using a scheduled search, but I prefer the other solution because it gives me more control.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

Atriarc
SplunkTrust
SplunkTrust
‎12-06-2022 08:54 AM

I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup. 

Tags (1)
Reply
Solved! Jump to solution

AntoineDRN
Path Finder
‎12-07-2022 11:48 PM

That's what I will try to implement.

Thanks for your answer

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...