Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to update lookup tables conditionally

hmallett
Path Finder
‎06-07-2019 02:23 AM

I have a large lookup table which is periodically generated from indexed data by a saved search.
The saved search takes a considerable amount of time. The saved search rewrites the lookup each time (I.e. it doesn’t append).

The indexed data from which the lookup is generated is not updated continuously.

Every time the saved search is used to build the lookup runs, it uses a large amount of Splunk resources.
If there has been no new indexed data, this means that we rebuild the lookup, using all those resources,
when we could have simply done nothing instead.

Is there an elegant way to modify the saved search so that if the latest indexed data is newer than a field in the lookup, we rebuild the lookup, but if not, the saved search ends without changing the lookup?

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-07-2019 10:40 PM

@hmallett,

There might two possibilities in your case.

  • You always want the results of saved search to be appended to lookup. In this case you can use append=true with outputlookup command.
  • In another case you sometimes require to update the lookup based on some field. By this what I mean is you might have some unique field in the lookup and if same value pops up from the search you want to update the row in the lookup instead of appending new row. In this case you can create kv-store lookup and make the unique value as a key in kvstore lookup. You can find more about kvstore lookup, just google it.

Hope this helps!!!

0 Karma
Reply

mmccul
SplunkTrust
SplunkTrust
‎06-07-2019 02:46 PM

The approach I'd at least consider would be to construct an alert that determines if the lookup table needs modifying. Run that alert periodically, keep that alert query simple. To make this alert work, you need some kind of time column or similar method to know "here's how recently updated this lookup table is". If you can use the lookup table to return a timestamp, you could even have that construct an earliest= field specification for your main search for data, so that the search starts at the time of the lookup table update timestamp.

Then, you'd need a custom alert action that executes a non-scheduled saved search to perform the lookup table update. Since a custom alert action could be a script, it could be used to trigger the saved search that does the update.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...