Do you have critically important lookups that power some of your Splunk solutions? Have those lookups ever been accidentally deleted? Does your current mitigation cause other problems (hint: I assure you that it does)? If so, this app can help you permanetnly solve this problem! Here is how to CONFIGURE it: 1: Run the "TEST: SRLA_timeformat_next_scheduled_time" search and adjust the "SRLA_timeformat_next_scheduled_time" macro until the "TEST: SRLA_timeformat_next_scheduled_time" field has a value of "PASS". Here is how to DEMO it: 2: Run the "CREATE: Self-Resurrecting_Lookup_Alerts" whenever you need to (re)create the test lookup file which is protected when you 3: ENABLE the "ALERT: Self-Resurrecting_Lookup_Alerts" scheduled search and let it run at least once to create a search job artifact that is the ephemeral backup of the lookup data. Here is how to TEST it: 4: Delete the "Self-Resurrecting_Lookup_Alerts.csv" file and watch as the next run of the "ALERT: Self-Resurrecting_Lookup_Alerts" automatically resurrects the lookup data! Here is now to DEPLOY it: 5: Read the "Description" of the "ALERT: Self-Resurrecting_Lookup_Alerts" schedued search for advanced configuration choices. 6: Clone the "ALERT: Self-Resurrecting_Lookup_Alerts" scheduled search (name it whatever you like; it doesn't matter), and update the argument of the macro inside to be the name of the lookup definition pointing to the lookup data that you desire to protect.data that you desire to protect.
(0)
Categories
Created By
Type
Downloads
Licensing
Splunk Answers
Resources