Splunk Enterprise Security

SplunkES -Data Enrichment - Asset and Identity Management- How does the content update work?

restinlinux
Explorer

The changes of the data source are not immediately reflected and some old information remains for several minutes.

How the content updates works? cron ? or Or is each data source combined and returned with each inputlookup reference? 

Or this depend on the environment use.. Clustering?

e.g. whether synchronization between search heads takes time and a time lag exists in the reflection of the results.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You are correct.  Changes to assets and identities do not take effect immediately.  A set of saved search runs periodically to refresh the lists.  You can find the relevant searches by looking for "Asset * - Lookup Gen" and "Identity * - Lookup Gen"

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...