Splunk Search

Can I update a CSV lookup file with more rows and how will this affect existing csv files and lookups?

HattrickNZ
Motivator

Looking at understanding better how lookups work in Splunk.

As I understand it, there are 3 steps:
1. lookup table files - basically you add your *.csv file

2. lookup definitions - name your lookup definition and link it to the above *.csv file
3. Automatic lookups - this is where you do you mapping from the fields that are already in splunk with the fields in your *.csv

What I want to know specifically is as follows:
If i had a lookup that was working fine off a csv file that only had X number of rows, lets say this:

lookupA,ValueToReplaceLookup
A,America
B,Beijing
C,Columbia

And then sometime later, I come along and I just want to add a few new rows to the csv e.g.

lookupA,ValueToReplaceLookup
A,America
B,Beijing
C,Columbia
D,Denmark
E,Eygpt

What is the best way of doing this without breaking anything?
Do I just delete the existing csv and replace it with the new one, keeping the same name, and then I don't have to do step 2 & 3 above?
Or is there a better way of doing it?

Tags (3)

earriaga
Explorer

I know this conversation was a long time ago, but Did you find the answer? I have exactly the same question, but do not understand the answers posted here.
I just want to replace the file, I am surprise there is not an update option in the lookup.

0 Karma

earriaga
Explorer

Did you find the answer? I have exactly the same question, but do not understand the answers posted here.
I just want to replace the file, I am surprise there is not an update option in the lookup.

0 Karma

thambisetty_bal
Path Finder

Hi HattrickNZ,

Please find answer at below link and it gives you exactly what do you want.

http://hubpages.com/technology/Update-Splunk-file-based-lookup-from-search-results

0 Karma

felipecerda
Path Finder

Hi, the link is broken.

diogofgm
SplunkTrust
SplunkTrust

If it's just a few values you want to add, give this app a shot. It allows you to edit the lookup from splunk web.

https://splunkbase.splunk.com/app/1724/

------------
Hope I was able to help you. If so, some karma would be appreciated.

woodcock
Esteemed Legend

You are misunderstanding the 3 Knowledge Objects types for lookups. They stack together like this (depending on how you plan to use the CSV):

KO1. Lookup Table - a CSV file in a specific directory. This can be used with either a Lookup Definition or the inputlookup command.
KO2. Lookup Definitions - the glue that is required to use a lookup table file with the lookup command.
KO3. automatic lookups - causes a specific lookup command to be run automatically for a specific sourcetype.

So to modify it, just replace the file on your Search Head and it should take effect immediately.

HattrickNZ
Motivator

tks, my q was if 1 - i have uploaded the csv 2 - i have defined a lookup on the csv 3 - defined an auto lookup on 1 and 2. And then I decide I need to updatte the csv, in 1 above, then that is all i have to do by removing the old one and adding the new one, and I don't have to do any thing with 2 and 3 as they are now pointing at the newer csv?

0 Karma

woodcock
Esteemed Legend

Correct, see my last line. You also need to refresh the KO out of your browser session cache.

0 Karma

woodcock
Esteemed Legend

Pick an answer that is best and click Accept to close it.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Use this:
|inputlookup my_file | append [ subsearch that gives you the remaining new rows ] | outputlookup my_file

Basically this loads the content of your file, appends the result rows from the subsearch (should have the same column names) and saves everything in your file. Note that I keeped the same file name in both inputlookup and outputlookup.

------------
Hope I was able to help you. If so, some karma would be appreciated.

HattrickNZ
Motivator

tks, but i was more interested in add the rows to the existing csv file and the nuploading it again. I presume you are assuming all the values I want are already in splunk, this would not be the case.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Ok then just replace then csv or edit and save. You don't need to change de lookup definitions if you keep the same field names.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...