- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Add a lookup file without the GUI
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently have a distributed splunk setup, with one search head a cluster master and three indexers and am trying to automate a way to add lookup files to this setup. The file is too large to be uploaded to the web GUI, so I have attempted to add the lookup file to
/appName/lookups/mylookup.csv
on the search head, but as soon as I do, I receive a sync error with failure reason 'NONE' and no other data is searchable through the search head. So I am wondering two things,
1; when I upload a lookup through the lookup editor app, it is added into the /lookup_editor/lookups folder, so why when I add one manually does it not like it? Is there another file I need to update?
2:What is the best way to script uploading a lookup file to splunk?
Thanks
EDIT Just thought I would add an edit, as I have found out that manually creating a lookup within the folder didn't actually cause issues with the search head, this issue was the lookup I created was 8 GB and the maximum bundle size was set to 1GB, so the bundle failed to replicate and caused all these issues. So I believe it actually possible to create a lookup manually with the above method !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this out http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ConfigureCSVlookups.
It doesn't specifically deal with how to script such a thing, bit it does explain how to define a lookup in transforms.conf, so you could make a shell script to 1) upload the csv 2) copy/append the transforms.conf 3) restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this out http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/ConfigureCSVlookups.
It doesn't specifically deal with how to script such a thing, bit it does explain how to define a lookup in transforms.conf, so you could make a shell script to 1) upload the csv 2) copy/append the transforms.conf 3) restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could add lookup by editing the transforms.conf file. Now i want to add lookup definition from the command line. Any way to do that?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
