https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600381#M208995 <P>That did also not work for the same permission related reasons, but like I said it's working now.</P><P>cheers, MuS</P> Fri, 03 Jun 2022 05:08:34 GMT MuS 2022-06-03T05:08:34Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/552038#M156663 <P>How to update a lookup file in splunk from Phantom?</P> Tue, 18 May 2021 12:25:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/552038#M156663 yadavameeth 2021-05-18T12:25:45Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/597863#M208182 <P>Hi there,</P><P>we encountered the exact same problem. Using the provided commands in the Splunk app in Phantom it seems there is no way to update a lookup table BUT we have a workaround for that <span class="lia-unicode-emoji" title=":winking_face:">😉</span> If you are forwarding the Phantom event to Splunk you can use those events and run a scheduled search that will then update the lookup file.</P><P>Hope this helps ...</P><P>cheers, MuS</P> Sun, 15 May 2022 00:47:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/597863#M208182 MuS 2022-05-15T00:47:36Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600254#M208963 <P>Okay, found the solution!&nbsp;</P><P>It's not documented anywhere but the lookup definition in Splunk needs to be shared globally AND the owner of the lookup definition needs to be 'nobody' - also remember to set the permission of the CSV so everyone is able to write and share it globally as well.&nbsp;</P><P>Hope this helps ...</P><P>cheers, MuS</P> Thu, 02 Jun 2022 10:00:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600254#M208963 MuS 2022-06-02T10:00:43Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600274#M208965 <P>You could also simply call REST API to update lookup contents.</P> Thu, 02 Jun 2022 12:13:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600274#M208965 PickleRick 2022-06-02T12:13:38Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600381#M208995 <P>That did also not work for the same permission related reasons, but like I said it's working now.</P><P>cheers, MuS</P> Fri, 03 Jun 2022 05:08:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/600381#M208995 MuS 2022-06-03T05:08:34Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/625336#M217378 <P>Hi i made <A href="https://github.com/mthcht/lookup-editor_scripts#readme." target="_self">these scripts</A> to update or upload lookups on splunk using lookup-editor endpoint&nbsp;</P><P>It can save the content of lookup(s) from splunk, add new fields and values or merge files and update them on splunk, you can use them in your playbooks</P> Tue, 27 Dec 2022 15:19:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-file-in-Splunk-from-Phantom/m-p/625336#M217378 mthcht 2022-12-27T15:19:56Z