Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Updating managed lookup via api in cloud

FuzzySteve
Loves-to-Learn
‎04-18-2022 08:48 AM

Hello Community!

We have a particular set of searches that rely on a lookup against a managed lookup (adhock).  The lookup is 2 columns, Username and Status.  Currently, we update this list manually every day by going in to content management, searching for the file, and then adding and deleting entries.

This was ok to start, but now the list is getting unmanageable.

What we would like to do, ideally, is take a local CSV and upload it over top of the one that exists via a PoweShell script that will be run on a local machine.  If that is not an option, I would be willing to have a script that creates a search to update the managed lookup that can be copied and pasted into a search.

looking for suggestions and ideas.  Thanks in advance.

 

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

FuzzySteve
Loves-to-Learn
‎04-18-2022 01:22 PM

We do not use the lookup editor app but I will investigate if we can have it added to our instance.
your curl example looks similar to some other posts I've seen here. My concern is that it's targeted at a local host.  Would it work with a cloud instance?

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 01:33 PM

You may need to put in a support request to have your IP address added to the allowlist for API access to your cloud instance, but otherwise yes it should work with a cloud instance.

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/RESTTUT/RESTandCloud

0 Karma
Reply

mcmaster
Communicator
‎04-18-2022 11:00 AM

Hey @FuzzySteve ,

Unfortunately there's no built-in way to do what you're trying to do. You could script the conversion of a .csv file into SPL to generate a lookup, or if you have the Lookup Editor app installed (https://splunkbase.splunk.com/app/1724/) it provides a REST API endpoint that you might be able to use to update the lookup. Here's an example:

curl -k -u admin:password -X POST -d namespace=search -d lookup_file=users.csv -d contents='[["username", "email"], ["admin", "admin@example.com"]]' https://localhost:8089/servicesNS/nobody/lookup_editor/data/lookup_edit/lookup_contents

The contents value is just a JSON array of arrays - the outer array makes up the "rows" of the CSV file and the inner arrays make up the "columns".

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...