Reporting

Lookup update using Splunk report- Why is there missing data?

s_absinthe
Explorer

Hi everyone,

I have observed that some of my lookup files that are intended to get updated on daily basis by reports, does not always have latest data. I have used 2 approaches so far:
1) Used report add action feature to add data to lookup files.

2) Used Outputlookup command with append.

In both the cases, I have scheduled them to run on daily basis. But have observed that my lookup always do not gets updated (appended) with daily chunk of data. I have verified by running individual searches for the data availability for those particular days for which lookups were not added with data.

Can someone please help me in understanding at the possible cause behind this.

Thanks in advance.

Labels (1)
0 Karma

marysan
Communicator

Hi
you should add append=T to tour outputlookup command 
|outputlookup append=T test.csv
did you di that ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In addition to @gcusello's comments, a lookup could fail to get updated if the updating search was skipped for some reason.  Check the Scheduler Activity page in the MC to see if the search was skipped.

---
If this reply helps you, Karma would be appreciated.

gcusello
SplunkTrust
SplunkTrust

Hi @s_absinthe,

if a lookup isn't updated with out outputlookup command in a scheduled search, means that at the moment of the execution of the sceduled search there wasn't any available data.

So test you search taking the data at the time of execution or your scheduled search (e.g. if a scheduled search runs ate 01.00 and has a rime range of 24 hours test your search  in that specific time range not in another).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...