Timing of lookup table reference for alerts and reports

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

Specifications/Technical Information

Specifications/Technical Information
- Splunk Enterprise features
- Splunk Technology Blog

solution

solution

User stories

support

Seminar content

Evaluation machine application/FAQ

Application for evaluation machine
- Splunk Evaluation Download
FAQ

Document request

inquiry

Event/Seminar

video on demand

Timing of lookup table reference by alerts and reports

release date: 2016-05-27

last updated: 2016-05-02

version: Splunk Enterprise 9.0.4

Overview: This article describes how to reflect lookup table updates in real-time searches.

Reference information

https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Lookup

content

Real-time search lookup table reference timing

When using a real-time search as an alert/report, the lookup table referenced will continue to be the one from the time the real-time search was first executed.

The update=true option is required to always reflect the latest lookup table in real-time search.

Without update=true option

Real-time search refers only to the first lookup table, and subsequent updates to the lookup table are not reflected in real-time search.

Search execution example) sourcetype=cc | lookup testlookup zz OUTPUT xx yy

If you have the update=true option

Real-time search always refers to the latest lookup table.

Search execution example) sourcetype=cc | lookup update=true testlookup zz OUTPUT xx yy

that's all

to previous page

In charge of Macnica Splunk Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：splunk-sales@macnica.co.jp

Mon-Fri 8:45-17:30