Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Acceleration - Search including lookup

HeinzWaescher
Motivator
‎02-20-2014 02:34 AM

Hi,

I would like to use Report Acceleration. My search is using a lookupfile and this lookupfile is updated once a day. Will the acceleration write the summary before using the lookup? So that the search will always use the latest version/information of my lookupfile?

BG

Heinz

0 Karma
Reply

DavidHourani
Super Champion
‎02-20-2014 02:40 AM

Hello Heinz,

If you create an Automatic lookup with your lookupfile the updated information will be accelerated when you modify your file.

Best regards,

David

0 Karma
Reply

DavidHourani
Super Champion
‎02-21-2014 06:49 AM

Hello again,

So your CSV file contains the last activity and the other info is from your search ?

Try using Automatic lookups instead of a lookup file that way you won't need to use the 'lookup' command but as far as Acceleration goes I think that once you accelerate a certain search, the results of the acceleration dont get modified over time unless you explicitly program schedule the search to run everyday after the lookupfile is re-written.

Best regards,
David

0 Karma
Reply

HeinzWaescher
Motivator
‎02-20-2014 03:20 AM

Hi,

I do it like this in the search string:

my search | lookup file.csv user_id OUTPUT last_activity |

The last_activity per user is written to the lookupfile each day at 00:00. So the last activity can change every time per user_id when the lookupfile is updated.

What I need is, that the latest last_activity is used for all former events per user_id, when I run the accelerated search.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...