Splunk Enterprise Security

Lookup is empty & not able to found how it generate.

nishit_92
Explorer

Suddenly, I have seen one of the lookup is empty, So how can I found the root cause for this. As per my knowledge, it is generating by running some script but I can't find any information.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Use the modification timestamp of the csv to narrow down your timerange.
If you're filling the lookup from a search using outputlookup, look at the scheduler logs in _internal for that search, it possibly returned zero results.
If you're filling the lookup externally then look at logs from that external system around the modification time.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Use the modification timestamp of the csv to narrow down your timerange.
If you're filling the lookup from a search using outputlookup, look at the scheduler logs in _internal for that search, it possibly returned zero results.
If you're filling the lookup externally then look at logs from that external system around the modification time.

0 Karma

bjoernjensen
Contributor

Hey,

If the app is being deployed via deployment server there might be an issue.

You can exclude certain lookups from your deployment:
https://answers.splunk.com/answers/193461/is-it-safe-to-deploy-apps-with-lookups-using-the-d-1.html

All the best,
Björn

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please provide more information, which lookup is not populating in Splunk and in which app lookup present ?

0 Karma

nishit_92
Explorer

So we have lookup which belongs to one of the threat intelligence app. It updates through some script. So I want to check this update modification logs. I have seen through internal index but not getting any useful information.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

In that case you need to check that Threat Intelligence app log (If app is generating any log), I am afraid that I'll not able to help more here because I don't know which threat intelligence app are you using and how it is generating lookup file?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...