Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the path for input files

randymw59
Explorer
‎12-17-2014 10:51 AM

I am new to Splunk...I have been given a query that uses an input file. I know the name of the input file, but how can I find the full pathname of where that file resides?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎12-17-2014 11:23 AM

The file that you're looking is lookup table path. Use following query to get the full path

| rest /services/data/lookup-table-files | rename eai:* as * | table title acl.app data

The path will exist on the Search Head server. (/opt represent its the UNIX server)

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:39 AM

I've been able to identify the path as:

/opt/splunk/etc/apps/search/lookups/generic_ids_dcs.csv

Can I edit the file in Splunk, or is it only possible to edit the file outside of Splunk in another editor program?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 12:32 PM

You can edit this in splunk with the lookup editor app, which has to be downloaded an installed from apps.splunk.com. You can also edit locally and upload the new copy to the splunk server, but you have to have permissions assigned to be able to do this. The other option is editing it in the local file system.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 11:03 AM

Depending on how the file is ingested, the source field will typically give you the full path of the file. If you can provide and example of what you are looking at, we can provide more concrete help...

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:05 AM

Here is the line in my query that reads the input file:
| inputlookup generic_ids_dcs.csv |

It doesn't list the entire pathname of the "generic_ids_dcs.csv" file, which is what I'm looking for.

Thanks....

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 11:09 AM

This a from a lookup file, not an indexed data source. You need to look in the configuration, under lookup files, and find the lookup file to find out where on disk this is located.

Alternatively, if you have shell access on the box, you can do a find command or 'splunk btool transforms list --debug' and look for the "generic_ids_dcs.csv" lookup and path definition.

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:13 AM

I don't know how to look in the configuration / lookup files...

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:16 AM

I did find this:

/opt/splunk/etc/apps/search/lookups/generic_ids_dcs.csv

How can I map the full pathname? I'm not sure where the /opt resides.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 11:33 AM

That is the full pathname, including the filename, of the lookup file. What do you mean by map?

You can add this path via an eval as

..currentsearch.. | eval mappedpath="/opt/splunk/etc/apps/search/lookups/generic_ids_dcs.csv"

And then do what you want to it..

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...