Solved: Create KVStore lookup definition in Splunk UI with...

LearningGuy · ‎05-05-2024

Hello,
I am not an admin that has permission to create or view transform.conf file. I also don't have a lab, so I can't experiment with the KVStore lookup.

Can I create KVStore lookup definition in Splunk UI without using transform.conf file?

Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?

Please suggest. Thank you

deepakc · ‎05-06-2024

1) Can I create KVStore lookup definition in Splunk UI without creating transform.conf file directly via command line?
[Yes/No]
Yes (Splunk will create a transforms.conf via the Splunk UI)

2) Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?
[Yes/No]
Yes - (This sounds like, if you want update your kvstore definitions with perhaps new fields etc, so yes it will automatically update the transforms.conf)

View solution in original post

LearningGuy · ‎05-05-2024

Hello,

Sorry I wasn't clear. I modified my questions a bit below
I was referring Splunk UI as in the menu: Lookups >> Lookup definitions >> Add new
My previous two questions specifically asked about a relationship between Splunk UI and transform.conf (not collection.conf)

1) Can I create KVStore lookup definition in Splunk UI without creating transform.conf file directly via command line?
[Yes/No]

2) Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?
[Yes/No]

The reason I asked because I only have the ability to create lookup definition through Splunk UI Lookup menu (not lookup editor) and I was wondering if that would create transform.conf

I appreciate your suggestion, here's my response to yours suggestion (although didn't answer my two questions)
1) maybe - but I don't have a way to test
2) PC is restrictive
3) not possible

Thank you

deepakc · ‎05-06-2024

1) Can I create KVStore lookup definition in Splunk UI without creating transform.conf file directly via command line?
[Yes/No]
Yes (Splunk will create a transforms.conf via the Splunk UI)

2) Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?
[Yes/No]
Yes - (This sounds like, if you want update your kvstore definitions with perhaps new fields etc, so yes it will automatically update the transforms.conf)

LearningGuy · ‎05-06-2024

Hi,

Thanks for answering my questions.
Since I can update transform.conf myself, I only need to an admin to create collections.conf, correct?

Thanks again

deepakc · ‎05-06-2024

yes, the Splunk admin can then add it to the correct app context and apply permissions.

LearningGuy · ‎05-06-2024

Whenever I update/create collections.conf or transforms.conf file manually , should Splunk need to be restarted (by admin)?

Same question if I use Lookup Editor app - should Splunk need to be restarted (by admin) after updating/creating collections.conf or transforms.conf?

https://splunkbase.splunk.com/app/1724

I think once we have these answered, you have solved this post.

Thank you so much

isoutamo · ‎05-06-2024

When you have edited those files on disk, splunk needs restarted or at least refreshed before those change as are in use. You should look /debug/refresh url for refresh.

When you are using lookup editor app, no need to do those as this app manage those actions internally. Just create a new lookup and after you have saved it, it’s ready for use.

LearningGuy · ‎05-07-2024

Hi @isoutamo
So if I am using lookup editor, I don't need an intervention from the admin, including restarting or refreshing URL, correct?

Thanks

isoutamo · ‎05-07-2024

That’s correct.

isoutamo · ‎05-06-2024

Hi

This depends on what you have already in your Splunk. If you want to create KV based lookup with GUI then minimum requirement is that you have at least one collection defined on your instance. And this can do only with conf file. If you haven't any collection then you cannot create kv based lookup with GUI. Of course if you have lookup editor app then you can.

But even if you have collection defined it's not so simple than just create a new lookup based on it. Usually there is collection per lookup as collection defines used fields in lookup.

I think that your best options are:

Ask your Splunk Admin install Splunk Lookup Editor and use it
Ask your Splunk Admin / KO admin create that collection + lookup for you
Create app which contains those and ask from your Splunk Admin that they install it with needed permission for your use case

r. Ismo

deepakc · ‎05-05-2024

As you don't have admin access, you have some options:

1. Create the transforms.conf / collections config using a file editor if you know what your doing and give it your Splunk admin they can do the rest.

2. You can download a free instance of Splunk (Install it if you know what your doing) and do the dev work there and then give the config to your Splunk admin.

3. You can also use the lookup editor app - https://splunkbase.splunk.com/app/1724 this is an easy way to create kvstores - you need to install this app and its popular, get you Splunk admin to install this.

Create KVStore lookup definition in Splunk UI without using transform.conf

kvstore

lookup

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024