Suddenly, I have seen one of the lookup is empty, So how can I found the root cause for this. As per my knowledge, it is generating by running some script but I can't find any information.
Use the modification timestamp of the csv to narrow down your timerange.
If you're filling the lookup from a search using outputlookup, look at the scheduler logs in _internal for that search, it possibly returned zero results.
If you're filling the lookup externally then look at logs from that external system around the modification time.
Use the modification timestamp of the csv to narrow down your timerange.
If you're filling the lookup from a search using outputlookup, look at the scheduler logs in _internal for that search, it possibly returned zero results.
If you're filling the lookup externally then look at logs from that external system around the modification time.
Hey,
If the app is being deployed via deployment server there might be an issue.
You can exclude certain lookups from your deployment:
https://answers.splunk.com/answers/193461/is-it-safe-to-deploy-apps-with-lookups-using-the-d-1.html
All the best,
Björn
Hi,
Can you please provide more information, which lookup is not populating in Splunk and in which app lookup present ?
So we have lookup which belongs to one of the threat intelligence app. It updates through some script. So I want to check this update modification logs. I have seen through internal index but not getting any useful information.
In that case you need to check that Threat Intelligence app log (If app is generating any log), I am afraid that I'll not able to help more here because I don't know which threat intelligence app are you using and how it is generating lookup file?