Solved: Re: Is it possible to reindex or preload a large l...

iKate · ‎07-13-2015

Hi splunkers!

I have a large lookup that is fully updated once a day.
The first time I address this lookup each day, it takes way too long time to get results.
After such initial reindexing or loading (not sure), further searches are calculated with normal speed.

Is it possible to preload/reindex it,not at a search-time, but beforehand, e.g. just after it's done updating on a schedule for all users?

Thank you!

martin_mueller · ‎07-13-2015

You could schedule a search that uses the lookup shortly after the scheduled time, causing Splunk to look at the lookup and force a rebuild of the lookup's ad-hoc index.

View solution in original post

martin_mueller · ‎07-13-2015

You could schedule a search that uses the lookup shortly after the scheduled time, causing Splunk to look at the lookup and force a rebuild of the lookup's ad-hoc index.

iKate · ‎07-14-2015

It worked! Great, thank you Martin!

Is it possible to reindex or preload a large lookup automatically for a user?

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

Are you a member of the Splunk Community?

Is it possible to reindex or preload a large lookup automatically for a user?

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal