You can disable the periodic update of auditd_indicies.csv by going to Settings -> Searches, reports, and alerts -> Change the 'App Context' dropdown to 'Linux Auditd Technology Add-On (TA_linux-auditd)' -> Click 'Disable' next to the 'Update auditd_indicies lookup' search. In what way is the lookup being truncated? The saved search mentioned above uses this (| tstats values(sourcetype) as sourcetype where [|inputlookup auditd_sourcetypes] by index | table index | outputlookup auditd_indicies) to update the auditd_indicies.csv lookup every four hours. If the auditd_indicies.csv lookup is empty after this runs, I think the issue may be that there's a problem with auditd_sourcetypes.csv - have you modified it and if so could you please provide? Here's an example of what an auditd_sourcetypes.csv should look like if you've modified it to support the vendor's old sourcetype naming convention: sourcetype linux:audit linux_audit ... View more