https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570445#M198822 <P>As we wrote - your process has to rewrite contents of the lookup completely.</P><P>As a matter of fact, I have a similar situation - my users supply data in .csv file put on a network share. I read this file as a delimited source file and push the events into a small auxiliary index. Then I do a scheduled report which reads the latest occurences of the events and ends with | outputlookup in order to write the results to a lookup. This way whenever my users put a new file into a well-known location, they get an updated lookup within few minutes.</P><P>EDIT: As a word of explanation - I could have done that perfectly well using external scripts and calling appropriate REST endpoint to refresh contents of the lookup file but in this case the point was that I wanted to do it entirely with built-in splunk functionality - without any external tools.</P> Tue, 12 Oct 2021 05:10:22 GMT PickleRick 2021-10-12T05:10:22Z https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570012#M198681 <P>Hello !!</P><P>I am new to using splunk and would like to know if it is possible to edit a lookup file via Splunk REST API or lookup editor API ?&nbsp;</P><P>Thank y'all</P> Thu, 07 Oct 2021 08:49:01 GMT https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570012#M198681 rolyrolex 2021-10-07T08:49:01Z https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570130#M198713 <P>There is no API for updating parts of a lookup file.&nbsp; You must replace the whole thing.&nbsp; See the REST Reference Manual at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTknowledge#data.2Flookup-table-files.2F.7Bname.7D" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.2/RESTREF/RESTknowledge#data.2Flookup-table-files.2F.7Bname.7D</A></P><P>&nbsp;</P> Thu, 07 Oct 2021 19:26:47 GMT https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570130#M198713 richgalloway 2021-10-07T19:26:47Z https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570141#M198716 <P>In general, it's not possible to update parts of a file-based lookup. You can overwrite whole lookup file (either by REST API or outputlookup command). You can of course edit the file directly on the server(s) but it will also effectively work as complete replacement of old contents when splunk reloads the lookup file.</P> Thu, 07 Oct 2021 21:00:52 GMT https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570141#M198716 PickleRick 2021-10-07T21:00:52Z https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570425#M198818 <P>Thank you all for your responses.</P><P>I think I should fully explain what I would like to do to find out if this is possible.</P><P>we have lookup file configurations in a Google Sheet, currently we are updating these configurations manually in the lookup files in splunk.</P><P>Now we want to automate the creation or modification directly from the google sheet.</P><P>So I would like to know if this is possible with splunk tools.</P><P>Thank you</P> Mon, 11 Oct 2021 07:56:01 GMT https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570425#M198818 rolyrolex 2021-10-11T07:56:01Z https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570445#M198822 <P>As we wrote - your process has to rewrite contents of the lookup completely.</P><P>As a matter of fact, I have a similar situation - my users supply data in .csv file put on a network share. I read this file as a delimited source file and push the events into a small auxiliary index. Then I do a scheduled report which reads the latest occurences of the events and ends with | outputlookup in order to write the results to a lookup. This way whenever my users put a new file into a well-known location, they get an updated lookup within few minutes.</P><P>EDIT: As a word of explanation - I could have done that perfectly well using external scripts and calling appropriate REST endpoint to refresh contents of the lookup file but in this case the point was that I wanted to do it entirely with built-in splunk functionality - without any external tools.</P> Tue, 12 Oct 2021 05:10:22 GMT https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570445#M198822 PickleRick 2021-10-12T05:10:22Z https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570794#M198913 <P>Thank you !!</P><P>Can i use this with splunk cloud&nbsp; ? or how do i put a file in the&nbsp;<SPAN>upload staging area ?</SPAN></P><P>&nbsp;</P> Wed, 13 Oct 2021 15:11:41 GMT https://community.splunk.com/t5/Splunk-Search/Edit-a-lookup-file-through-the-REST-API/m-p/570794#M198913 rolyrolex 2021-10-13T15:11:41Z