Solved: Is it possible to reindex or preload a large looku...

iKate · ‎07-13-2015

Hi splunkers!

I have a large lookup that is fully updated once a day.
The first time I address this lookup each day, it takes way too long time to get results.
After such initial reindexing or loading (not sure), further searches are calculated with normal speed.

Is it possible to preload/reindex it,not at a search-time, but beforehand, e.g. just after it's done updating on a schedule for all users?

Thank you!

martin_mueller · ‎07-13-2015

You could schedule a search that uses the lookup shortly after the scheduled time, causing Splunk to look at the lookup and force a rebuild of the lookup's ad-hoc index.

View solution in original post

martin_mueller · ‎07-13-2015

You could schedule a search that uses the lookup shortly after the scheduled time, causing Splunk to look at the lookup and force a rebuild of the lookup's ad-hoc index.

iKate · ‎07-14-2015

It worked! Great, thank you Martin!

Is it possible to reindex or preload a large lookup automatically for a user?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

Is it possible to reindex or preload a large lookup automatically for a user?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!