Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you manage several look-ups reviews?

AntoineDRN
Path Finder
‎12-06-2022 08:08 AM

Hello Splunkers, 

 

I come to you in order to gather some tips and tricks around look-ups management.

For example, I have several look-ups used to whitelist some machine, and after a time a part of these machine aren't used anymore. I bet we are not the only one to face this, so I was wondering, how you manage the review and update of these? 

I first had the idea to use the [fschange] stanza on ours to get mofications (with time information and details about the change Add/Delete/Edit). But i also saw that is was deprecated. Is it still a good thing to use in order to manage our look-ups? Is there something that replace this stanza? Because I unfortunately have not found anything. 

I also thought adding columns to have the "Creation date"/"Modification date"/"Too old" or stuff like that for each row. Is that a good enought workaround?

 

Thanks for your tips! 🙂

Happy Splunking,

A-D

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Atriarc
SplunkTrust
SplunkTrust
‎12-06-2022 08:54 AM

I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup. 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-06-2022 09:01 AM

Hi @AntoineDRN,

I'd create a scheduled search that checks the missing machines, so you can update your lookup when in the results there's a deprecated machine.

Or otherwise (I don't like it) you could also automatically update your lookup using a scheduled search, but I prefer the other solution because it gives me more control.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

Atriarc
SplunkTrust
SplunkTrust
‎12-06-2022 08:54 AM

I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup. 

Tags (1)
Reply
Solved! Jump to solution

AntoineDRN
Path Finder
‎12-07-2022 11:48 PM

That's what I will try to implement.

Thanks for your answer

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...