- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Updating managed lookup via api in cloud
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updating managed lookup via api in cloud
Hello Community!
We have a particular set of searches that rely on a lookup against a managed lookup (adhock). The lookup is 2 columns, Username and Status. Currently, we update this list manually every day by going in to content management, searching for the file, and then adding and deleting entries.
This was ok to start, but now the list is getting unmanageable.
What we would like to do, ideally, is take a local CSV and upload it over top of the one that exists via a PoweShell script that will be run on a local machine. If that is not an option, I would be willing to have a script that creates a search to update the managed lookup that can be copied and pasted into a search.
looking for suggestions and ideas. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do not use the lookup editor app but I will investigate if we can have it added to our instance.
your curl example looks similar to some other posts I've seen here. My concern is that it's targeted at a local host. Would it work with a cloud instance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may need to put in a support request to have your IP address added to the allowlist for API access to your cloud instance, but otherwise yes it should work with a cloud instance.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/RESTTUT/RESTandCloud
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @FuzzySteve ,
Unfortunately there's no built-in way to do what you're trying to do. You could script the conversion of a .csv file into SPL to generate a lookup, or if you have the Lookup Editor app installed (https://splunkbase.splunk.com/app/1724/) it provides a REST API endpoint that you might be able to use to update the lookup. Here's an example:
curl -k -u admin:password -X POST -d namespace=search -d lookup_file=users.csv -d contents='[["username", "email"], ["admin", "admin@example.com"]]' https://localhost:8089/servicesNS/nobody/lookup_editor/data/lookup_edit/lookup_contents
The contents value is just a JSON array of arrays - the outer array makes up the "rows" of the CSV file and the inner arrays make up the "columns".
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
