topic Re: How to test if a lookup does exist in Splunk Search

How to test if a lookup does exist?

vagnet — Thu, 17 Nov 2022 18:56:56 GMT

Hi Splunkers,

I want to create a macro that will be looking inside a lookup file, but in a way that will not break the search if the lookup is non-existent after some time.

Is there any equivalent of for example Linux known "test -f filename" in Splunk?

Re: How to test if a lookup does exist

richgalloway — Thu, 17 Nov 2022 18:22:42 GMT

You can use REST to see if a lookup file exists

| rest splunk_server=local /services/admin/lookup-table-files/logins.csv | stats count

but SPL does not have branching commands so I'm not sure how it helps this use case. Can you say more about the macro and what it will do if the lookup file doesn't exist?

Re: How to test if a lookup does exist

vagnet — Thu, 17 Nov 2022 18:59:50 GMT

Thanks

The macro is responsible to find matching IPs between the lookup and the search. If the lookup does not exist, then the only thing I need is to not break the search, and that runs as normal.

You would wonder, in this case, why I have the lookup inside the search if not existing. The answer is scaling, as that lookup is placed on many searches, and editing them would be time consuming.

Re: How to test if a lookup does exist

richgalloway — Thu, 17 Nov 2022 21:09:07 GMT

If this is part of a dashboard then I can see it working. The dashboard runs the rest command at launch to see if the lookup file is present and sets a token based on its findings. If the file was found then the token would contain the lookup command. if the file was not found then the token would contain an eval that sets the field sought by the lookup to something like "No lookup available" or "N/A". The query just needs to replace the existing lookup command with the token.

Re: How to test if a lookup does exist

vagnet — Thu, 17 Nov 2022 22:33:16 GMT

I see, sorry for not making it that clear!

The search is to be part of many alerts in my case and not dashboard