Splunk Enterprise Security

How to monitor changes in kv store lookups

Explorer

Hello everyone

I have following problem:
I have set disabled flag in ip_intel by following query:
| inputlookup ip_intel where _key="js.arcgis.com"
| eval disabled="1"
| outputlookup append=true ip_intel

After some time I discovered that disabled field value disappeared.

My question how I can monitor when and why value isn't anymore in its place.
I thought about using internal indexes.

0 Karma