Solved: Splunk for Enterprise Security: How can I force Sp...

RiccardoV · ‎03-18-2015

Hi,

I am using Splunk 6.2.2 and Enterprise Security 3.1.1.
I have a bunch of threat lists (the actual URLs are lookups to local csv files: lookup://threatlist_lookup ).
If i update the csv, I notice that Splunk ES doesn't immediately use the new version of the threatlist, but the old one. Only after some time does it "refresh" those lists using the new data.
How can I force Splunk to check if a "new version" of the csv files are available?

Thanks

bjoernjensen · ‎03-18-2015

A debug refresh could help. Within a browser open your equivalent of http_//SPLUNKSERVER:8000/en-GB/debug/refresh

Another approach can be found in the answer from @bmacias84 in this topic:
http://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html

View solution in original post

bjoernjensen · ‎03-18-2015

A debug refresh could help. Within a browser open your equivalent of http_//SPLUNKSERVER:8000/en-GB/debug/refresh

Another approach can be found in the answer from @bmacias84 in this topic:
http://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html

Splunk for Enterprise Security: How can I force Splunk to check for a new version of my CSV threat lists?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update