Re: Splunk is not displaying the latest time of lo...

ganji · ‎01-29-2019

Splunk is not displaying the latest time of lookup updated
| rest /servicesNS/-/-/data/lookup-table-files
| search title=*
| table title updated
title updated
test.csv 1969-12-31T18:00:00-06:00

mydog8it · ‎01-16-2020

Was this issue ever resolved? I am seeing the same issue in my SplunkCloud environment.

woodcock · ‎01-30-2019

Definitely open a support case.

woodcock · ‎01-30-2019

I suspect that the system clock on the host OS of your Search Head is borked or there is a Splunk bug somewhere. That says that the timestamp on the file is 0, which should not happen.

ganji · ‎01-30-2019

Hello @woodcock, I do not see any issue with host OS. Not sure if it is a bug with Splunk, as a similar version of Splunk on the other SH is working fine.

ganji · ‎01-30-2019

@DMohn, lookup file was generated from outputlookup.

DMohn · ‎01-30-2019

This time normally indicates, that the corresponding CSV hasn't been updated via Splunk at all. (It is the '0' UNIX timestamp value).

This interface will only show update times, if the lookup file is updates by means of Splunk (eg. outputlookup) - not if it is re-uploaded via the OS.

harishalipaka · ‎01-29-2019

hi @ganji

check your user timezone

Thanks
Harish

ganji · ‎01-30-2019

@harishalipaka, thanks for replying. User time zone is Default System Timezone and user timezone may not be the issue.

Splunk is not displaying the latest time of lookup updated

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases