Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Acceleration - Search including lookup

HeinzWaescher
Motivator
‎02-20-2014 02:34 AM

Hi,

I would like to use Report Acceleration. My search is using a lookupfile and this lookupfile is updated once a day. Will the acceleration write the summary before using the lookup? So that the search will always use the latest version/information of my lookupfile?

BG

Heinz

0 Karma
Reply

DavidHourani
Super Champion
‎02-20-2014 02:40 AM

Hello Heinz,

If you create an Automatic lookup with your lookupfile the updated information will be accelerated when you modify your file.

Best regards,

David

0 Karma
Reply

DavidHourani
Super Champion
‎02-21-2014 06:49 AM

Hello again,

So your CSV file contains the last activity and the other info is from your search ?

Try using Automatic lookups instead of a lookup file that way you won't need to use the 'lookup' command but as far as Acceleration goes I think that once you accelerate a certain search, the results of the acceleration dont get modified over time unless you explicitly program schedule the search to run everyday after the lookupfile is re-written.

Best regards,
David

0 Karma
Reply

HeinzWaescher
Motivator
‎02-20-2014 03:20 AM

Hi,

I do it like this in the search string:

my search | lookup file.csv user_id OUTPUT last_activity |

The last_activity per user is written to the lookupfile each day at 00:00. So the last activity can change every time per user_id when the lookupfile is updated.

What I need is, that the latest last_activity is used for all former events per user_id, when I run the accelerated search.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...