Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do I get the lookup table to update automatically whenever the CSV file is updated in the specific local file ?

chaitanya1996
Engager
‎04-27-2020 06:52 AM

Hello,
I have a csv file generated by script daily at $SplunkHome\etc\apps\bin\'fuel_stations.csv'. I add manually that CSV file as Lookup table files using "settings> lookups> Lookup table files> add new" to use it for my splunk search |inputlookup fuel_station.csv.

Now I want to automate to update lookup file whenever this csv file in above path is updated.
How do I get the lookup table to update automatically whenever the CSV file is updated in the specific local file ?
splunk v.6.6.3
Thanks

0 Karma
Reply

MuS
Legend
‎04-27-2020 01:27 PM

Hi chaitanya1996,

Easiest solution for this is to change the script to output the csv into the correct directory $SPLUNK_HOME\etc\apps\<yourApp>\lookups\fuel_stations.csv this will use the updated lookup file immediately when using | inputlookup afterwards.

This will only work if the script is not running in a Search Head Cluster; if you plan to run it in a search head cluster you can use this app https://splunkbase.splunk.com/app/4649/#/overview

Hope this helps ...

cheers, MuS

0 Karma
Reply

chaitanya1996
Engager
‎04-28-2020 06:59 AM

Hi @MuS ,

I have fuel_stations.csv file at indexer in Search Head Cluster. I want to update the lookup in search head and do |inputlookup across all search heads.

can you suggest to get this in any possible way.
And can you please elaborate it whether we can use the app you suggested to get this done.

Thanks,
Chaitanya

0 Karma
Reply

MuS
Legend
‎04-28-2020 01:10 PM

Hi chaitanya1996,

Lookup files should be created, stored and use on search heads. Just read the details of the app and you will get all details needed to learn how you can update the lookup file in a search head cluster.

cheers, MuS

0 Karma
Reply

prachisaxena
Explorer
‎04-27-2020 01:13 PM

Hi,

i would suggest monitoring this file $SplunkHome\etc\apps\bin\'fuel_stations.csv' using the splunk file monitoring. So, that the data in splunk is indexed everytime you update the file.

Then you can schedule a search to this data to lookup csv file using outputlookup command.
index =
| table field1, field2
|outputlookup fuel_station.csv append=(true|false)

0 Karma
Reply

chaitanya1996
Engager
‎04-28-2020 07:07 AM

Hi @prachisaxena,

When we monitor the csv file, if we change the value of field2 in row 2 from 5 to 4.. it gets into splunk.
But if we again change the field2 in row 2 from 4 to 5 , it doesn't get into splunk and iam not able to get the latest updated one due to this.

Thanks,
Chaitanya

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...