Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup update using Splunk report- Why is there missing data?

s_absinthe
Explorer
‎06-28-2022 05:20 AM

Hi everyone,

I have observed that some of my lookup files that are intended to get updated on daily basis by reports, does not always have latest data. I have used 2 approaches so far:
1) Used report add action feature to add data to lookup files.

2) Used Outputlookup command with append.

In both the cases, I have scheduled them to run on daily basis. But have observed that my lookup always do not gets updated (appended) with daily chunk of data. I have verified by running individual searches for the data availability for those particular days for which lookups were not added with data.

Can someone please help me in understanding at the possible cause behind this.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

marysan
Communicator
‎06-28-2022 10:55 PM

Hi
you should add append=T to tour outputlookup command 
|outputlookup append=T test.csv
did you di that ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2022 08:35 AM

In addition to @gcusello's comments, a lookup could fail to get updated if the updating search was skipped for some reason.  Check the Scheduler Activity page in the MC to see if the search was skipped.

---
If this reply helps you, Karma would be appreciated.
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-28-2022 06:38 AM

Hi @s_absinthe,

if a lookup isn't updated with out outputlookup command in a scheduled search, means that at the moment of the execution of the sceduled search there wasn't any available data.

So test you search taking the data at the time of execution or your scheduled search (e.g. if a scheduled search runs ate 01.00 and has a rime range of 24 hours test your search  in that specific time range not in another).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...