Solved: Splunk for Enterprise Security: How can I force Sp...

RiccardoV · ‎03-18-2015

Hi,

I am using Splunk 6.2.2 and Enterprise Security 3.1.1.
I have a bunch of threat lists (the actual URLs are lookups to local csv files: lookup://threatlist_lookup ).
If i update the csv, I notice that Splunk ES doesn't immediately use the new version of the threatlist, but the old one. Only after some time does it "refresh" those lists using the new data.
How can I force Splunk to check if a "new version" of the csv files are available?

Thanks

bjoernjensen · ‎03-18-2015

A debug refresh could help. Within a browser open your equivalent of http_//SPLUNKSERVER:8000/en-GB/debug/refresh

Another approach can be found in the answer from @bmacias84 in this topic:
http://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html

View solution in original post

bjoernjensen · ‎03-18-2015

A debug refresh could help. Within a browser open your equivalent of http_//SPLUNKSERVER:8000/en-GB/debug/refresh

Another approach can be found in the answer from @bmacias84 in this topic:
http://answers.splunk.com/answers/86564/updating-lookup-table-data-externally-auto-magically.html

Splunk for Enterprise Security: How can I force Splunk to check for a new version of my CSV threat lists?

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

Index This | How many sides does a circle have?