Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to re-read the same file again daily

mlevsh
Builder
‎12-16-2019 07:36 AM

Hi,
trying to find the best solution (approach) to the following issue:

We are monitoring ( via Splunk Universal forwarder ) the file "Assignment_group.csv" , exported daily from Service Now.
It exports assignment_groups and It has department name, team name, team's manager:
"Our department" , "Our Team", "Our Manager".
We ingest it and use it as lookup for assignment groups in our related dashboards.

If file is not changed - Splunk doesn't index it again , it seems, and as a result - our lookup gets empty.

We thought about using [batch://...] to read the same file instead of [monitor://...] but it deletes the source file and we want to keep it for troubleshooting proposes.

Any advice will be appreciated

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-16-2019 07:53 AM

Hi @mlevsh,
you have to read the lookup values and use them before overriding the lookup itself, in other words, something like this:

index=my_index
| append [ | inputlookup my_lookup | table field1 field2 field3 ]
| stats values(field2) AS field2 values(field3) AS field3 BY field1
| eval field2=mvindex(field2,0), field3=mvindex(field3,0)
| table field1 field2 field3
| outputlookup my_lookup

where field1 is the key field and field2 and field3 are the fields to upgrade.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...