Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the path for input files

randymw59
Explorer
‎12-17-2014 10:51 AM

I am new to Splunk...I have been given a query that uses an input file. I know the name of the input file, but how can I find the full pathname of where that file resides?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎12-17-2014 11:23 AM

The file that you're looking is lookup table path. Use following query to get the full path

| rest /services/data/lookup-table-files | rename eai:* as * | table title acl.app data

The path will exist on the Search Head server. (/opt represent its the UNIX server)

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:39 AM

I've been able to identify the path as:

/opt/splunk/etc/apps/search/lookups/generic_ids_dcs.csv

Can I edit the file in Splunk, or is it only possible to edit the file outside of Splunk in another editor program?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 12:32 PM

You can edit this in splunk with the lookup editor app, which has to be downloaded an installed from apps.splunk.com. You can also edit locally and upload the new copy to the splunk server, but you have to have permissions assigned to be able to do this. The other option is editing it in the local file system.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 11:03 AM

Depending on how the file is ingested, the source field will typically give you the full path of the file. If you can provide and example of what you are looking at, we can provide more concrete help...

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:05 AM

Here is the line in my query that reads the input file:
| inputlookup generic_ids_dcs.csv |

It doesn't list the entire pathname of the "generic_ids_dcs.csv" file, which is what I'm looking for.

Thanks....

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 11:09 AM

This a from a lookup file, not an indexed data source. You need to look in the configuration, under lookup files, and find the lookup file to find out where on disk this is located.

Alternatively, if you have shell access on the box, you can do a find command or 'splunk btool transforms list --debug' and look for the "generic_ids_dcs.csv" lookup and path definition.

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:13 AM

I don't know how to look in the configuration / lookup files...

0 Karma
Reply

randymw59
Explorer
‎12-17-2014 11:16 AM

I did find this:

/opt/splunk/etc/apps/search/lookups/generic_ids_dcs.csv

How can I map the full pathname? I'm not sure where the /opt resides.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎12-17-2014 11:33 AM

That is the full pathname, including the filename, of the lookup file. What do you mean by map?

You can add this path via an eval as

..currentsearch.. | eval mappedpath="/opt/splunk/etc/apps/search/lookups/generic_ids_dcs.csv"

And then do what you want to it..

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...