Knowledge Management

Create KVStore lookup definition in Splunk UI without using transform.conf

LearningGuy
Builder

Hello,
I am not an admin that has permission to create or view transform.conf file. I also don't have a lab, so I can't experiment with the KVStore lookup.

Can I create KVStore lookup definition in Splunk UI without using transform.conf file?

Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?

Please suggest. Thank you

Labels (2)
0 Karma
1 Solution

deepakc
Builder


1) Can I create KVStore lookup definition in Splunk UI without creating transform.conf file directly via command line?
[Yes/No]
Yes (Splunk will create a transforms.conf via the Splunk UI)


2) Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?
[Yes/No]
Yes - (This sounds like, if you want update your kvstore definitions with perhaps new fields etc, so yes it will automatically update the transforms.conf)

View solution in original post

LearningGuy
Builder

Hello,

Sorry I wasn't clear. I modified my questions a bit below
I was referring Splunk UI as in the menu: Lookups >> Lookup definitions >> Add new
My previous two questions specifically asked about a relationship between Splunk UI and transform.conf (not collection.conf)

1) Can I create KVStore lookup definition in Splunk UI without creating transform.conf file directly via command line?
[Yes/No]

2) Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?
[Yes/No]

The reason I asked because I only have the ability to create lookup definition through Splunk UI Lookup menu (not lookup editor) and I was wondering if that would create transform.conf

I appreciate your suggestion, here's my response to yours suggestion (although didn't answer my two questions)
1) maybe - but I don't have a way to test  
2) PC is restrictive 
3) not possible

Thank you

0 Karma

deepakc
Builder


1) Can I create KVStore lookup definition in Splunk UI without creating transform.conf file directly via command line?
[Yes/No]
Yes (Splunk will create a transforms.conf via the Splunk UI)


2) Will creating KVStore lookup definition in Splunk UI automatically update transform.conf file?
[Yes/No]
Yes - (This sounds like, if you want update your kvstore definitions with perhaps new fields etc, so yes it will automatically update the transforms.conf)

LearningGuy
Builder

Hi,

Thanks for answering my questions.
Since I can update transform.conf myself, I only need to an admin to create collections.conf, correct?

Thanks again

0 Karma

deepakc
Builder

yes, the Splunk admin can then add it to the correct app context and apply permissions. 

LearningGuy
Builder


Whenever I update/create collections.conf or transforms.conf file manually , should Splunk need to be restarted (by admin)?

Same question if I use Lookup Editor app - should Splunk need to be restarted (by admin) after updating/creating collections.conf or transforms.conf?

https://splunkbase.splunk.com/app/1724  

I think once we have these answered, you have solved this post.  

Thank you so much

0 Karma

isoutamo
SplunkTrust
SplunkTrust

When you have edited those files on disk, splunk needs restarted or at least refreshed before those change as are in use. You should look /debug/refresh url for refresh.

When you are using lookup editor app, no need to do those as this app manage those actions internally. Just create a new lookup and after you have saved it, it’s ready for use.

LearningGuy
Builder


Hi @isoutamo 
So if I am using lookup editor, I don't need an intervention from the admin, including restarting or refreshing URL, correct?

Thanks

0 Karma

isoutamo
SplunkTrust
SplunkTrust
That’s correct.

isoutamo
SplunkTrust
SplunkTrust

Hi

This depends on what you have already in your Splunk. If you want to create KV based lookup with GUI then minimum requirement is that you have at least one collection defined on your instance. And this can do only with conf file. If you haven't any collection then you cannot create kv based lookup with GUI. Of course if you have lookup editor app then you can.

But even if you have collection defined it's not so simple than just create a new lookup based on it. Usually there is collection per lookup as collection defines used fields in lookup.

I think that your best options are:

  • Ask your Splunk Admin install Splunk Lookup Editor and use it
  • Ask your Splunk Admin / KO admin create that collection + lookup for you
  • Create app which contains those and ask from your Splunk Admin that they install it with needed permission for your use case

r. Ismo

deepakc
Builder

As you don't have admin access, you have some options:

1. Create the transforms.conf / collections config using a file editor if you know what your doing and give it your Splunk admin they can do the rest.

2. You can download a free instance of Splunk (Install it if you know what your doing)  and do the dev work there and then give the config to your Splunk admin.

3. You can also use the lookup editor app - https://splunkbase.splunk.com/app/1724  this is an easy way to create kvstores - you need to install this app and its popular, get you Splunk admin to install this.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...