Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you update lookup tables when using sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a lookup table that is automatically updated every 15 minutes past the hour with external results (not in splunk). This needs to be pushed out to our clustered search heads members. How would be the best way to configure this?
My understanding is you can't just manually add a lookup to an app on the search heads individually as they don't appear to be able to see it. Instead, you have to run the cron to update the lookup on them master/deployer and then push & restart the entire search head cluster EVERY hour.
Hopefully there is a better solution to this. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could make a custom search command to get your external data then pipe to outputlookup. Schedule that search. The cluster will then replicate that updated lookup across members when it is refreshed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can put a monitor on the lookup file generated by crontab and then a scheduled search can "build" the new lookup by referencing the data collected by the monitor.
The other advantage of this is you can ensure all entries remain in the file in the event that your crontab fails for some reason. (by using a range greater than an hour and dedup)
Even better you could monitor a change file every hour and then build the lookup (or kvstore) based on the old lookup plus the changes:
|inputlookup lookup.csv |append [ search "find the new data collected by change file" ]|sort - _time |dedup key_to_file | outputlookup lookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could make a custom search command to get your external data then pipe to outputlookup. Schedule that search. The cluster will then replicate that updated lookup across members when it is refreshed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the inevitable conclusion I came to as well. Sad they don't have any way to do this, makes it a pain to have to convert all our previously working crontabs to splunk commands just to get the cluster to "see" the new lookups.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
