Welcome to the new Splunkbase! To return to the old Splunkbase, click here.
Self-Resurrecting Lookup Alerts (SRLA) app icon

Self-Resurrecting Lookup Alerts (SRLA)

Do you have critically important lookups that power some of your Splunk solutions? Have those lookups ever been accidentally deleted? Does your current mitigation cause other problems (hint: I assure you that it does)? If so, this app can help you permanetnly solve this problem! Here is how to CONFIGURE it: 1: Run the "TEST: SRLA_timeformat_next_scheduled_time" search and adjust the "SRLA_timeformat_next_scheduled_time" macro until the "TEST: SRLA_timeformat_next_scheduled_time" field has a value of "PASS". Here is how to DEMO it: 2: Run the "CREATE: Self-Resurrecting_Lookup_Alerts" whenever you need to (re)create the test lookup file which is protected when you 3: ENABLE the "ALERT: Self-Resurrecting_Lookup_Alerts" scheduled search and let it run at least once to create a search job artifact that is the ephemeral backup of the lookup data. Here is how to TEST it: 4: Delete the "Self-Resurrecting_Lookup_Alerts.csv" file and watch as the next run of the "ALERT: Self-Resurrecting_Lookup_Alerts" automatically resurrects the lookup data! Here is now to DEPLOY it: 5: Read the "Description" of the "ALERT: Self-Resurrecting_Lookup_Alerts" schedued search for advanced configuration choices. 6: Clone the "ALERT: Self-Resurrecting_Lookup_Alerts" scheduled search (name it whatever you like; it doesn't matter), and update the argument of the macro inside to be the name of the lookup definition pointing to the lookup data that you desire to protect.data that you desire to protect.

splunk product badge

Latest Version 1.0.0
March 21, 2025
Compatibility
Not Available
Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2, 7.1, 7.0
CIM Version: 6.x, 5.x, 4.x, 3.x
Rating

0

(0)

Log in to rate this app
Support
Self-Resurrecting Lookup Alerts (SRLA) support icon
Developer Supported app
Learn more
Do you have critically important lookups that power some of your Splunk solutions? Have those lookups ever been accidentally deleted? Does your current mitigation cause other problems (hint: I assure you that it does)? If so, this app can help you permanetnly solve this problem! Here is how to CONFIGURE it: 1: Run the "TEST: SRLA_timeformat_next_scheduled_time" search and adjust the "SRLA_timeformat_next_scheduled_time" macro until the "TEST: SRLA_timeformat_next_scheduled_time" field has a value of "PASS". Here is how to DEMO it: 2: Run the "CREATE: Self-Resurrecting_Lookup_Alerts" whenever you need to (re)create the test lookup file which is protected when you 3: ENABLE the "ALERT: Self-Resurrecting_Lookup_Alerts" scheduled search and let it run at least once to create a search job artifact that is the ephemeral backup of the lookup data. Here is how to TEST it: 4: Delete the "Self-Resurrecting_Lookup_Alerts.csv" file and watch as the next run of the "ALERT: Self-Resurrecting_Lookup_Alerts" automatically resurrects the lookup data! Here is now to DEPLOY it: 5: Read the "Description" of the "ALERT: Self-Resurrecting_Lookup_Alerts" schedued search for advanced configuration choices. 6: Clone the "ALERT: Self-Resurrecting_Lookup_Alerts" scheduled search (name it whatever you like; it doesn't matter), and update the argument of the macro inside to be the name of the lookup definition pointing to the lookup data that you desire to protect.data that you desire to protect.

Categories

Created By

Gregg Woodcock

Type

app

Downloads

4

Resources

Login to report this app listing