Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Acceleration - Search including lookup

HeinzWaescher
Motivator
‎02-20-2014 02:34 AM

Hi,

I would like to use Report Acceleration. My search is using a lookupfile and this lookupfile is updated once a day. Will the acceleration write the summary before using the lookup? So that the search will always use the latest version/information of my lookupfile?

BG

Heinz

0 Karma
Reply

DavidHourani
Super Champion
‎02-20-2014 02:40 AM

Hello Heinz,

If you create an Automatic lookup with your lookupfile the updated information will be accelerated when you modify your file.

Best regards,

David

0 Karma
Reply

DavidHourani
Super Champion
‎02-21-2014 06:49 AM

Hello again,

So your CSV file contains the last activity and the other info is from your search ?

Try using Automatic lookups instead of a lookup file that way you won't need to use the 'lookup' command but as far as Acceleration goes I think that once you accelerate a certain search, the results of the acceleration dont get modified over time unless you explicitly program schedule the search to run everyday after the lookupfile is re-written.

Best regards,
David

0 Karma
Reply

HeinzWaescher
Motivator
‎02-20-2014 03:20 AM

Hi,

I do it like this in the search string:

my search | lookup file.csv user_id OUTPUT last_activity |

The last_activity per user is written to the lookupfile each day at 00:00. So the last activity can change every time per user_id when the lookupfile is updated.

What I need is, that the latest last_activity is used for all former events per user_id, when I run the accelerated search.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...