Splunk Enterprise Security

SplunkES -Data Enrichment - Asset and Identity Management- How does the content update work?

restinlinux
Explorer

The changes of the data source are not immediately reflected and some old information remains for several minutes.

How the content updates works? cron ? or Or is each data source combined and returned with each inputlookup reference? 

Or this depend on the environment use.. Clustering?

e.g. whether synchronization between search heads takes time and a time lag exists in the reflection of the results.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You are correct.  Changes to assets and identities do not take effect immediately.  A set of saved search runs periodically to refresh the lists.  You can find the relevant searches by looking for "Asset * - Lookup Gen" and "Identity * - Lookup Gen"

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...