When a lookup is updated via | outputlookup, does ...

harishsplunk7 · ‎03-05-2024

When a lookup is updated via | outputlookup, does that change the modified time?
For example - search for a lookup or kvstore name and see the SPL that gives overall usage, then have the option to filter to only those SPL searches that have an outputlookup that modify the file.

index=abc sourcetype=xyz | stats count | outputlookup append=true newlookup.csv

How can i track whether outputlokkup file is updated or not using _internal or _audit index. Pleae suggest the splunk query to get the status

yuanliu · ‎03-05-2024

Let me try to answer two separate questions. I think the question about "modified time" is in regard to file system record. Is this correct? Yes, file system modified time is updated.

~~Splunk 9 added a~~ Update: If you install Chris Younger's Config Explorer, you will find sourcetype config_explorer in _internal that includes the information you want. For example, you can do

index = _internal sourcetype="config_explorer" item="./etc/*/lookups/*"
| stats max(_time) as _time by item

I don't think such information is retained ~~before 9~~ without an app.

When a lookup is updated via | outputlookup, does that change the modified time?

data model

kvstore

lookup

search macro

summary indexing

workflow action

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

When a lookup is updated via | outputlookup, does that change the modified time?

Can’t make it to .conf25? Join us online!