Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you manage several look-ups reviews?

AntoineDRN
Path Finder
‎12-06-2022 08:08 AM

Hello Splunkers, 

 

I come to you in order to gather some tips and tricks around look-ups management.

For example, I have several look-ups used to whitelist some machine, and after a time a part of these machine aren't used anymore. I bet we are not the only one to face this, so I was wondering, how you manage the review and update of these? 

I first had the idea to use the [fschange] stanza on ours to get mofications (with time information and details about the change Add/Delete/Edit). But i also saw that is was deprecated. Is it still a good thing to use in order to manage our look-ups? Is there something that replace this stanza? Because I unfortunately have not found anything. 

I also thought adding columns to have the "Creation date"/"Modification date"/"Too old" or stuff like that for each row. Is that a good enought workaround?

 

Thanks for your tips! 🙂

Happy Splunking,

A-D

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Atriarc
SplunkTrust
SplunkTrust
‎12-06-2022 08:54 AM

I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup. 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-06-2022 09:01 AM

Hi @AntoineDRN,

I'd create a scheduled search that checks the missing machines, so you can update your lookup when in the results there's a deprecated machine.

Or otherwise (I don't like it) you could also automatically update your lookup using a scheduled search, but I prefer the other solution because it gives me more control.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

Atriarc
SplunkTrust
SplunkTrust
‎12-06-2022 08:54 AM

I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup. 

Tags (1)
Reply
Solved! Jump to solution

AntoineDRN
Path Finder
‎12-07-2022 11:48 PM

That's what I will try to implement.

Thanks for your answer

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...