Reporting

Lookup update using Splunk report- Why is there missing data?

s_absinthe
Explorer

Hi everyone,

I have observed that some of my lookup files that are intended to get updated on daily basis by reports, does not always have latest data. I have used 2 approaches so far:
1) Used report add action feature to add data to lookup files.

2) Used Outputlookup command with append.

In both the cases, I have scheduled them to run on daily basis. But have observed that my lookup always do not gets updated (appended) with daily chunk of data. I have verified by running individual searches for the data availability for those particular days for which lookups were not added with data.

Can someone please help me in understanding at the possible cause behind this.

Thanks in advance.

Labels (1)
0 Karma

marysan
Communicator

Hi
you should add append=T to tour outputlookup command 
|outputlookup append=T test.csv
did you di that ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In addition to @gcusello's comments, a lookup could fail to get updated if the updating search was skipped for some reason.  Check the Scheduler Activity page in the MC to see if the search was skipped.

---
If this reply helps you, Karma would be appreciated.

gcusello
SplunkTrust
SplunkTrust

Hi @s_absinthe,

if a lookup isn't updated with out outputlookup command in a scheduled search, means that at the moment of the execution of the sceduled search there wasn't any available data.

So test you search taking the data at the time of execution or your scheduled search (e.g. if a scheduled search runs ate 01.00 and has a rime range of 24 hours test your search  in that specific time range not in another).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...