Splunk Enterprise Security

Splunk for Enterprise Security: How can I force Splunk to check for a new version of my CSV threat lists?

RiccardoV
Communicator

Hi,

I am using Splunk 6.2.2 and Enterprise Security 3.1.1.
I have a bunch of threat lists (the actual URLs are lookups to local csv files: lookup://threatlist_lookup ).
If i update the csv, I notice that Splunk ES doesn't immediately use the new version of the threatlist, but the old one. Only after some time does it "refresh" those lists using the new data.
How can I force Splunk to check if a "new version" of the csv files are available?

Thanks

1 Solution

bjoernjensen
Contributor

A debug refresh could help. Within a browser open your equivalent of http_//SPLUNKSERVER:8000/en-GB/debug/refresh

Another approach can be found in the answer from @bmacias84 in this topic:
http://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html

View solution in original post

bjoernjensen
Contributor

A debug refresh could help. Within a browser open your equivalent of http_//SPLUNKSERVER:8000/en-GB/debug/refresh

Another approach can be found in the answer from @bmacias84 in this topic:
http://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...