https://community.splunk.com/t5/Splunk-Search/how-to-use-scripted-input-for-refreshing-lookup-data/m-p/63620#M15718 <P>I have two files <CODE>test1.csv</CODE> and <CODE>test2.csv</CODE>. I indexed them in Splunk and then use them as lookup. These two files are refreshed everyday with updated data. What i want to do is refresh my lookups with new data in csv files. Here is what i came up with and put in <CODE>refresh.bat</CODE> files.</P> <PRE><CODE> generatetest1.csv generatetest2.csv ./splunk stop ./splunk clean eventdata -index test1_index -f ./splunk clean eventdata -index test2_index -f ./splunk start ./splunk add oneshot "C:\downloads\proto_data\csv\test1.csv" -sourcetype csv -index test1_index -rename-source test1 -auth admin:changeme ./splunk search "index=test1_index | outputlookup test1lookup.csv" -auth admin:changeme ./splunk add oneshot C:\downloads\proto_data\csv\test2.csv -sourcetype csv -index test2_index -rename-source test2 -auth admin:changeme ./splunk search "index=test2_index | outputlookup test2lookup.csv" -auth admin:changeme </CODE></PRE> <P>I have two questions:</P> <OL> <LI>is this the right way to do?</LI> <LI>if yes, how can i modify above script such that instead of calling generatetest1.csv and generatetest2.csv and creating test1.csv and test2.csv i can use scripted input and refresh my lookups.</LI> </OL> <P>thanks</P> Wed, 24 Aug 2011 15:35:11 GMT desi 2011-08-24T15:35:11Z https://community.splunk.com/t5/Splunk-Search/how-to-use-scripted-input-for-refreshing-lookup-data/m-p/63620#M15718 <P>I have two files <CODE>test1.csv</CODE> and <CODE>test2.csv</CODE>. I indexed them in Splunk and then use them as lookup. These two files are refreshed everyday with updated data. What i want to do is refresh my lookups with new data in csv files. Here is what i came up with and put in <CODE>refresh.bat</CODE> files.</P> <PRE><CODE> generatetest1.csv generatetest2.csv ./splunk stop ./splunk clean eventdata -index test1_index -f ./splunk clean eventdata -index test2_index -f ./splunk start ./splunk add oneshot "C:\downloads\proto_data\csv\test1.csv" -sourcetype csv -index test1_index -rename-source test1 -auth admin:changeme ./splunk search "index=test1_index | outputlookup test1lookup.csv" -auth admin:changeme ./splunk add oneshot C:\downloads\proto_data\csv\test2.csv -sourcetype csv -index test2_index -rename-source test2 -auth admin:changeme ./splunk search "index=test2_index | outputlookup test2lookup.csv" -auth admin:changeme </CODE></PRE> <P>I have two questions:</P> <OL> <LI>is this the right way to do?</LI> <LI>if yes, how can i modify above script such that instead of calling generatetest1.csv and generatetest2.csv and creating test1.csv and test2.csv i can use scripted input and refresh my lookups.</LI> </OL> <P>thanks</P> Wed, 24 Aug 2011 15:35:11 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-scripted-input-for-refreshing-lookup-data/m-p/63620#M15718 desi 2011-08-24T15:35:11Z https://community.splunk.com/t5/Splunk-Search/how-to-use-scripted-input-for-refreshing-lookup-data/m-p/63621#M15719 <P>So there is actually a lookup search cmd which will use a csv for this purpose. If that doesn't work you can actually use a scripted lookup. Take a <A href="http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsfromexternaldatasources">look at the docs</A>. OR <A href="http://blogs.splunk.com/2009/07/27/enriching-data-with-lookups-part-1/">this blog post</A>. </P> Wed, 24 Aug 2011 16:56:48 GMT https://community.splunk.com/t5/Splunk-Search/how-to-use-scripted-input-for-refreshing-lookup-data/m-p/63621#M15719 melting 2011-08-24T16:56:48Z