Splunk Search

Acceleration - Search including lookup

HeinzWaescher
Motivator

Hi,

I would like to use Report Acceleration. My search is using a lookupfile and this lookupfile is updated once a day. Will the acceleration write the summary before using the lookup? So that the search will always use the latest version/information of my lookupfile?

BG

Heinz

0 Karma

DavidHourani
Super Champion

Hello Heinz,

If you create an Automatic lookup with your lookupfile the updated information will be accelerated when you modify your file.

Best regards,

David

0 Karma

DavidHourani
Super Champion

Hello again,

So your CSV file contains the last activity and the other info is from your search ?

Try using Automatic lookups instead of a lookup file that way you won't need to use the 'lookup' command but as far as Acceleration goes I think that once you accelerate a certain search, the results of the acceleration dont get modified over time unless you explicitly program schedule the search to run everyday after the lookupfile is re-written.

Best regards,
David

0 Karma

HeinzWaescher
Motivator

Hi,

I do it like this in the search string:

my search | lookup file.csv user_id OUTPUT last_activity |

The last_activity per user is written to the lookupfile each day at 00:00. So the last activity can change every time per user_id when the lookupfile is updated.

What I need is, that the latest last_activity is used for all former events per user_id, when I run the accelerated search.

0 Karma