https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466539#M191827 <P>Hi @zacksoft,<BR /> as I said, you have:</P> <UL> <LI>to read the csv file using a Universal Forwarder (if it's located in a different server than the Indexer) or the monitor function of the Indexer (if it's located in the Indexer);</LI> <LI>schedule a search to create your lookup.</LI> </UL> <P>Only one question: when you read the content of the csv, you add records to the lookup or override it?<BR /> because, if you override it you could think to don't use the lookup but store the csv in an index and run a simple search on this index: in this way you'll have always updated data.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 17 Dec 2019 10:45:24 GMT gcusello 2019-12-17T10:45:24Z https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466536#M191824 <P>I have a lookup file called PriceFactot.csv. I have defined this lookup table and then in query I use <BR /> | inputlookup PriceFactor.csv and get my data.</P> <P>The thing is, PriceFactor.csv's content changes twice a day. SO each time I have to upload/define the new lookup in splunk , or else in the query in shows me stale data. </P> <P>Is there anyway to make Splunk to keep reading the lookup file or dynamically update itself etc...or any other suggestion??</P> Tue, 17 Dec 2019 10:13:31 GMT https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466536#M191824 zacksoft 2019-12-17T10:13:31Z https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466537#M191825 <P>Hi @zacksoft,<BR /> you have to schedule a search to automatically update your lookup e.g. twice in a day.<BR /> You can do it scheduling the lookup update search (the one finishing with <CODE>outputlookup PriceFactor.csv</CODE>) as an alert (running e.g. at 7.00 and 13.00) so you'll automatically have your lookup updated.</P> <P>If you have many records in you lookup, you could also think to use a summary index instead a lookup to update in the same way.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 17 Dec 2019 10:24:51 GMT https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466537#M191825 gcusello 2019-12-17T10:24:51Z https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466538#M191826 <P>The lookup contents are externally updated by another program. I don't have control over it. And the look up is placed in a windows drive folder. What I am looking for is, to read the lookup automatically so that I can get the updated contents. </P> Tue, 17 Dec 2019 10:30:32 GMT https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466538#M191826 zacksoft 2019-12-17T10:30:32Z https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466539#M191827 <P>Hi @zacksoft,<BR /> as I said, you have:</P> <UL> <LI>to read the csv file using a Universal Forwarder (if it's located in a different server than the Indexer) or the monitor function of the Indexer (if it's located in the Indexer);</LI> <LI>schedule a search to create your lookup.</LI> </UL> <P>Only one question: when you read the content of the csv, you add records to the lookup or override it?<BR /> because, if you override it you could think to don't use the lookup but store the csv in an index and run a simple search on this index: in this way you'll have always updated data.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 17 Dec 2019 10:45:24 GMT https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466539#M191827 gcusello 2019-12-17T10:45:24Z https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466540#M191828 <P>Thanks @gcusello . It overrides. It doesn't add records. </P> Tue, 17 Dec 2019 10:50:01 GMT https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466540#M191828 zacksoft 2019-12-17T10:50:01Z https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466541#M191829 <P>Hi @zacksoft,<BR /> check what's the execution time and the number of results: if the search isn't heavy and you have less that 50,000 results, you can use it in your searches.<BR /> Anyway, you can schedule the search to populate the lookup.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 17 Dec 2019 11:20:47 GMT https://community.splunk.com/t5/Splunk-Search/LookUp-Files-Issues/m-p/466541#M191829 gcusello 2019-12-17T11:20:47Z