Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup update using Splunk report- Why is there missing data?

s_absinthe
Explorer
‎06-28-2022 05:20 AM

Hi everyone,

I have observed that some of my lookup files that are intended to get updated on daily basis by reports, does not always have latest data. I have used 2 approaches so far:
1) Used report add action feature to add data to lookup files.

2) Used Outputlookup command with append.

In both the cases, I have scheduled them to run on daily basis. But have observed that my lookup always do not gets updated (appended) with daily chunk of data. I have verified by running individual searches for the data availability for those particular days for which lookups were not added with data.

Can someone please help me in understanding at the possible cause behind this.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

marysan
Communicator
‎06-28-2022 10:55 PM

Hi
you should add append=T to tour outputlookup command 
|outputlookup append=T test.csv
did you di that ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2022 08:35 AM

In addition to @gcusello's comments, a lookup could fail to get updated if the updating search was skipped for some reason.  Check the Scheduler Activity page in the MC to see if the search was skipped.

---
If this reply helps you, Karma would be appreciated.
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-28-2022 06:38 AM

Hi @s_absinthe,

if a lookup isn't updated with out outputlookup command in a scheduled search, means that at the moment of the execution of the sceduled search there wasn't any available data.

So test you search taking the data at the time of execution or your scheduled search (e.g. if a scheduled search runs ate 01.00 and has a rime range of 24 hours test your search  in that specific time range not in another).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...