Alerting

updating a lookup table by external means

aniketb
Path Finder

Hi,

I have a lookup table of trusted hosts. This is being used in an alert to match for entries. Since this is a learning phase, I have to keep updating my lookup table of trusted hosts.

If I just delete the .csv file and add a new updated .csv file with same name, will the alert stay unaffected? Or I have to reconfigure the alert after every update to the lookup file? Does any other way exist for this?

Tags (3)
1 Solution

hexx
Splunk Employee
Splunk Employee

Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.

View solution in original post

bhupalbobbadi
Path Finder

I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?

0 Karma

hexx
Splunk Employee
Splunk Employee

Updating a lookup table file by external means should be no problem as long as the name of the file remains the same. Splunk will re-read the file every time it needs to be used if it's very small, or reload it from disk when a change is detected if it's large.

aniketb
Path Finder

Thanks! I just deleted and replaced the file and still everything runs smoothly!

0 Karma

bhupalbobbadi
Path Finder

I have a simple 2 field csv file and is configured with lookup table, when I add new line to the csv file it is not reflecting in search. Do I need to do anything manually here?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...