Hello Community!
We have a particular set of searches that rely on a lookup against a managed lookup (adhock). The lookup is 2 columns, Username and Status. Currently, we update this list manually every day by going in to content management, searching for the file, and then adding and deleting entries.
This was ok to start, but now the list is getting unmanageable.
What we would like to do, ideally, is take a local CSV and upload it over top of the one that exists via a PoweShell script that will be run on a local machine. If that is not an option, I would be willing to have a script that creates a search to update the managed lookup that can be copied and pasted into a search.
looking for suggestions and ideas. Thanks in advance.
We do not use the lookup editor app but I will investigate if we can have it added to our instance.
your curl example looks similar to some other posts I've seen here. My concern is that it's targeted at a local host. Would it work with a cloud instance?
You may need to put in a support request to have your IP address added to the allowlist for API access to your cloud instance, but otherwise yes it should work with a cloud instance.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2201/RESTTUT/RESTandCloud
Hey @FuzzySteve ,
Unfortunately there's no built-in way to do what you're trying to do. You could script the conversion of a .csv file into SPL to generate a lookup, or if you have the Lookup Editor app installed (https://splunkbase.splunk.com/app/1724/) it provides a REST API endpoint that you might be able to use to update the lookup. Here's an example:
curl -k -u admin:password -X POST -d namespace=search -d lookup_file=users.csv -d contents='[["username", "email"], ["admin", "admin@example.com"]]' https://localhost:8089/servicesNS/nobody/lookup_editor/data/lookup_edit/lookup_contents
The contents value is just a JSON array of arrays - the outer array makes up the "rows" of the CSV file and the inner arrays make up the "columns".