Deployment Architecture

How to upload lookup file using REST to specific app

GersonGarcia
Path Finder

All,

I am trying to manage lookup csv files using REST API.

1) I create the lookup file on the stage folder:
: [1755] root@endpoint:~ # ; ls -al /opt/splunk/var/run/splunk/lookup_tmp/*
-rw-r--r-- 1 root root 1631 May 8 17:49 /opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv

2) I am able to upload it using REST:
curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv

It works fine, but it creates the lookup under search app:

    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">ggarcia</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[/usr/ssn/splunk/etc/users/ggarcia/search/lookups/nagios_gg.csv]]></s:key>
        <s:key name="eai:userName">ggarcia</s:key>
      </s:dict>
    </content>

If I move it to different app using:

curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg2.csv
Enter host password for user 'ggarcia':
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">An object with name=nagios_gg.csv does not exist</msg>
  </messages>
</response>

How can I create it in different APP and be able to update using REST?

Thank you!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...