Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how do I get the lookup table to update automatically whenever the CSV file is updated in the specific local file ?

chaitanya1996
Engager
‎04-27-2020 06:52 AM

Hello,
I have a csv file generated by script daily at $SplunkHome\etc\apps\bin\'fuel_stations.csv'. I add manually that CSV file as Lookup table files using "settings> lookups> Lookup table files> add new" to use it for my splunk search |inputlookup fuel_station.csv.

Now I want to automate to update lookup file whenever this csv file in above path is updated.
How do I get the lookup table to update automatically whenever the CSV file is updated in the specific local file ?
splunk v.6.6.3
Thanks

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-27-2020 01:27 PM

Hi chaitanya1996,

Easiest solution for this is to change the script to output the csv into the correct directory $SPLUNK_HOME\etc\apps\<yourApp>\lookups\fuel_stations.csv this will use the updated lookup file immediately when using | inputlookup afterwards.

This will only work if the script is not running in a Search Head Cluster; if you plan to run it in a search head cluster you can use this app https://splunkbase.splunk.com/app/4649/#/overview

Hope this helps ...

cheers, MuS

0 Karma
Reply

chaitanya1996
Engager
‎04-28-2020 06:59 AM

Hi @MuS ,

I have fuel_stations.csv file at indexer in Search Head Cluster. I want to update the lookup in search head and do |inputlookup across all search heads.

can you suggest to get this in any possible way.
And can you please elaborate it whether we can use the app you suggested to get this done.

Thanks,
Chaitanya

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-28-2020 01:10 PM

Hi chaitanya1996,

Lookup files should be created, stored and use on search heads. Just read the details of the app and you will get all details needed to learn how you can update the lookup file in a search head cluster.

cheers, MuS

0 Karma
Reply

prachisaxena
Explorer
‎04-27-2020 01:13 PM

Hi,

i would suggest monitoring this file $SplunkHome\etc\apps\bin\'fuel_stations.csv' using the splunk file monitoring. So, that the data in splunk is indexed everytime you update the file.

Then you can schedule a search to this data to lookup csv file using outputlookup command.
index =
| table field1, field2
|outputlookup fuel_station.csv append=(true|false)

0 Karma
Reply

chaitanya1996
Engager
‎04-28-2020 07:07 AM

Hi @prachisaxena,

When we monitor the csv file, if we change the value of field2 in row 2 from 5 to 4.. it gets into splunk.
But if we again change the field2 in row 2 from 4 to 5 , it doesn't get into splunk and iam not able to get the latest updated one due to this.

Thanks,
Chaitanya

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...