Splunk Search

A user uploaded a CSV file and is able to search it with the lookup command, but why is he unable to view the lookup file in Splunk Web?

mfrost8
Builder

Hi.

I have a user here who has uploaded a lookup CSV file into $SPLUNK_HOME/etc/apps/<APP>/lookups. What's odd is that if he then goes to Settings -> Lookups -> Lookup table files, it's not listed, but if he clicks on New to create it, the Splunk UI does not show that the file is there to create a lookup out of.

He is, however, able to use "lookup" as part of a search and use that CSV file in his search so it's definitely there, but it's not seen by the UI for some reason. The fact that he can use it in-line like that tells me that permissions on the uploaded file is not an issue.

This is happening on a Splunk instance that I have no direct access nor control over but I believe it's Splunk 6.0.x. I had thought that perhaps as with any filesystem-level app change, Splunk might need to be poked via a REST endpoint or restarted to pick up the new file. He accessed the "/debug/refresh" endpoint but that did not seem to make it work.

Is there something special that has to happen to get this version of Splunk to see a newly-uploaded lookup CSV file on the UI's "Lookup table files" page?

Thanks

Tags (3)
0 Karma

lguinn2
Legend

Did he upload it directly to the server or did he use the Splunk UI to upload it? It is best to use the Splunk UI (at least the first time the file is uploaded) because the Spunk UI puts the file in the proper directory, and sets permissions for it. Quite often, the permissions should be set to global for lookup file, but it doesn't have to be. However, you probably don't want the permissions to remain private.

0 Karma

mfrost8
Builder

He did upload the file using the UI.

0 Karma

lguinn2
Legend

And the permissions are what in the Splunk UI? Global, app or private? He should also check to make sure that he uploaded the CSV file into the same app as where he is trying to create the lookup.

There is nothing that you need to do (restart, "/debug/refresh") to get Splunk to "see" the file.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...