A splunk user has identified that a lookup table has not been updated for some time.
I was previously unaware of this lookup table as it had been created by someone else who no longer works on the system. I would like to investigate what script / report etc has generated and updated the lookup report previously, but I don't know where to start looking.
can anyone help guide me please with perhaps any queries or file searches that might be useful to identify what created the lookup file, and better still, what process/scrip/report was updating the lookup file?
Searching the _internal logs for the lookup name might give some clues (if those go back far enough).
For finding how it got updated, that would likely be a saved search, so if you have file system access on your search head(s), you could scan for savedsearches.conf files and in those search for the lookup name.