Deployment Architecture

How to upload lookup file using REST to specific app

GersonGarcia
Path Finder

All,

I am trying to manage lookup csv files using REST API.

1) I create the lookup file on the stage folder:
: [1755] root@endpoint:~ # ; ls -al /opt/splunk/var/run/splunk/lookup_tmp/*
-rw-r--r-- 1 root root 1631 May 8 17:49 /opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv

2) I am able to upload it using REST:
curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg.csv

It works fine, but it creates the lookup under search app:

    <content type="text/xml">
      <s:dict>
        <s:key name="disabled">0</s:key>
        <s:key name="eai:acl">
          <s:dict>
            <s:key name="app">search</s:key>
            <s:key name="can_change_perms">1</s:key>
            <s:key name="can_list">1</s:key>
            <s:key name="can_share_app">1</s:key>
            <s:key name="can_share_global">1</s:key>
            <s:key name="can_share_user">1</s:key>
            <s:key name="can_write">1</s:key>
            <s:key name="modifiable">1</s:key>
            <s:key name="owner">ggarcia</s:key>
            <s:key name="perms"/>
            <s:key name="removable">1</s:key>
            <s:key name="sharing">user</s:key>
          </s:dict>
        </s:key>
        <s:key name="eai:appName">search</s:key>
        <s:key name="eai:data"><![CDATA[/usr/ssn/splunk/etc/users/ggarcia/search/lookups/nagios_gg.csv]]></s:key>
        <s:key name="eai:userName">ggarcia</s:key>
      </s:dict>
    </content>

If I move it to different app using:

curl -k -X POST -u ggarcia https://endpoint:8089/services/data/lookup-table-files/nagios_gg.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/nagios_gg2.csv
Enter host password for user 'ggarcia':
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">An object with name=nagios_gg.csv does not exist</msg>
  </messages>
</response>

How can I create it in different APP and be able to update using REST?

Thank you!

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...