Solved: How to get the latest version of a lookup file

yossefn · ‎06-23-2020

Hi,

I have a SQL job that exports a .csv table to our file server with one column of user names in the file. This job is running once a day at the morning and writing a new file every day with the same name. Since Iv'e uploaded the file once, I can't see the changes of the new files in the next days.

Is there any option for me to monitor this file as a lookup and run a searches against the most recent data?

Thank you,

Yossi.

richgalloway · ‎06-23-2020

If you can have the SQL job write the CSV file to your app's 'lookup' directory then your queries can reference it using the lookup command.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-23-2020

If you can have the SQL job write the CSV file to your app's 'lookup' directory then your queries can reference it using the lookup command.

---
If this reply helps you, Karma would be appreciated.

yossefn · ‎06-28-2020

Looks like the SQL will have a little problem to write to a UNIX path, but we'll solve it with different tool to build a job that will copy the lookup file and write it the the Splunk server.

Thank you @richgalloway for the idea.

How to get the latest version of a lookup file

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?