Getting Data In

How to search custom_data CSV files across several apps using lookup table command?

fk319
Builder

I have several similar apps. They share global searches and dashboards.
They each have custom data in a lookup table, custom_data.csv.
Is it possible to see all the custom_data.csv files in a single search using an admin account?

Normally I would generate a list of apps via a |rest call and then do a |map search.

I cannot figure out how to cross apps with a lookup table command inputlookup.

Labels (1)
0 Karma

darrenfuller
Contributor

Hi fk319,

Here is the problem... if you have three apps...

appA
    local - app.conf, transforms.conf
    lookups - mylookup.csv
    metadata - local.meta / default.meta

appB
    local - app.conf, transforms.conf
    lookups - mylookup.csv
    metadata - local.meta / default.meta

appC
    local - app.conf, transforms.conf
    lookups - mylookup.csv
    metadata - local.meta / default.meta

If you go to http://localhost:8000/en-US/app/app1/search, you get appA's mylookup.csv
If you go to http://localhost:8000/en-US/app/app2/search, you get appB's mylookup.csv
If you go to http://localhost:8000/en-US/app/app3/search, you get appC's mylookup.csv

If you go to search though, you get app3's version of the mylookup.csv.

This is because of splunk's config file precidence.. config files (and in this case lookups) will be brought from (lowest to highest)

$SPLUNK_HOME/etc/system/default
$SPLUNK_HOME/etc/apps/appname/default
$SPLUNK_HOME/etc/apps/appname/local
$SPLUNK_HOME/etc/system/local

And in the case of apps, if the same configuration is in multiple apps, it's going to pick the app that is the highest alphanumeric value, unless you are in that app, where it will take the data from that app.

So...putting together the results from three lookup files with the same name is a problem.

0 Karma

fk319
Builder

All this I understand.
In my case app1, app2, and app3 are the same app, but they are different users. They share the same dashboards and searches but have different data.
I am looking for a way for an admin, to review mylookup for all three apps at the same time.

in my case, mylookup will seldom change, but if user1 makes a change in app1, I would like for the admin to look at their dashboard and review the change without checking the apps individually.

0 Karma

to4kawa
Ultra Champion
3. Read in a lookup table in a CSV file
Search the users.csv lookup file, which is in the $SPLUNK_HOME/etc/system/lookups or 
$SPLUNK_HOME/etc/apps/<app_name>/lookups directory.

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Inputlookup

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...