Re: Lookup update using Splunk report

s_absinthe · ‎06-28-2022

Hi everyone,

I have observed that some of my lookup files that are intended to get updated on daily basis by reports, does not always have latest data. I have used 2 approaches so far:
1) Used report add action feature to add data to lookup files.

2) Used Outputlookup command with append.

In both the cases, I have scheduled them to run on daily basis. But have observed that my lookup always do not gets updated (appended) with daily chunk of data. I have verified by running individual searches for the data availability for those particular days for which lookups were not added with data.

Can someone please help me in understanding at the possible cause behind this.

Thanks in advance.

marysan · ‎06-28-2022

Hi
you should add append=T to tour outputlookup command
|outputlookup append=T test.csv
did you di that ?

richgalloway · ‎06-28-2022

In addition to @gcusello's comments, a lookup could fail to get updated if the updating search was skipped for some reason. Check the Scheduler Activity page in the MC to see if the search was skipped.

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎06-28-2022

Hi @s_absinthe,

if a lookup isn't updated with out outputlookup command in a scheduled search, means that at the moment of the execution of the sceduled search there wasn't any available data.

So test you search taking the data at the time of execution or your scheduled search (e.g. if a scheduled search runs ate 01.00 and has a rime range of 24 hours test your search in that specific time range not in another).

Ciao.

Giuseppe

Lookup update using Splunk report- Why is there missing data?

saved search

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk