Deployment Architecture

How to upload lookup file using REST to specific app

GersonGarcia
Path Finder

All,

I am trying to manage lookup csv files using REST API.

1) I create the lookup file on the stage folder:
: [1755] root@endpoint:~ # ; ls -al /opt/splunk/var/run/splunk/lookup_tmp/*
-rw-r--r-- 1 root root 1631 May 8 17:49 /opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv

2) I am able to upload it using REST:
curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv

It works fine, but it creates the lookup under search app:

    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">ggarcia</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[/usr/ssn/splunk/etc/users/ggarcia/search/lookups/nagios_gg.csv]]></s:key>
        <s:key name="eai:userName">ggarcia</s:key>
      </s:dict>
    </content>

If I move it to different app using:

curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg2.csv
Enter host password for user 'ggarcia':
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">An object with name=nagios_gg.csv does not exist</msg>
  </messages>
</response>

How can I create it in different APP and be able to update using REST?

Thank you!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...