Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I update a CSV lookup file with more rows and how will this affect existing csv files and lookups?

HattrickNZ
Motivator
‎08-17-2015 05:29 PM

Looking at understanding better how lookups work in Splunk.

As I understand it, there are 3 steps:
1. lookup table files - basically you add your *.csv file

2. lookup definitions - name your lookup definition and link it to the above *.csv file
3. Automatic lookups - this is where you do you mapping from the fields that are already in splunk with the fields in your *.csv

What I want to know specifically is as follows:
If i had a lookup that was working fine off a csv file that only had X number of rows, lets say this: 

lookupA,ValueToReplaceLookup
A,America
B,Beijing
C,Columbia

And then sometime later, I come along and I just want to add a few new rows to the csv e.g. 

lookupA,ValueToReplaceLookup
A,America
B,Beijing
C,Columbia
D,Denmark
E,Eygpt

What is the best way of doing this without breaking anything?
Do I just delete the existing csv and replace it with the new one, keeping the same name, and then I don't have to do step 2 & 3 above?
Or is there a better way of doing it?

Tags (3)
Reply

earriaga
Path Finder
‎03-19-2020 09:22 AM

I know this conversation was a long time ago, but Did you find the answer? I have exactly the same question, but do not understand the answers posted here.
I just want to replace the file, I am surprise there is not an update option in the lookup.

0 Karma
Reply

earriaga
Path Finder
‎03-19-2020 09:21 AM

Did you find the answer? I have exactly the same question, but do not understand the answers posted here.
I just want to replace the file, I am surprise there is not an update option in the lookup.

0 Karma
Reply

thambisetty_bal
Path Finder
‎07-14-2016 02:54 PM

Hi HattrickNZ,

Please find answer at below link and it gives you exactly what do you want.

http://hubpages.com/technology/Update-Splunk-file-based-lookup-from-search-results

0 Karma
Reply

felipecerda
Path Finder
‎01-05-2017 05:13 AM

Hi, the link is broken.

Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-18-2015 06:25 PM

If it's just a few values you want to add, give this app a shot. It allows you to edit the lookup from splunk web.

https://splunkbase.splunk.com/app/1724/

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

woodcock
Esteemed Legend
‎08-17-2015 11:28 PM

You are misunderstanding the 3 Knowledge Objects types for lookups. They stack together like this (depending on how you plan to use the CSV):

KO1. Lookup Table - a CSV file in a specific directory. This can be used with either a Lookup Definition or the inputlookup command.
KO2. Lookup Definitions - the glue that is required to use a lookup table file with the lookup command.
KO3. automatic lookups - causes a specific lookup command to be run automatically for a specific sourcetype.

So to modify it, just replace the file on your Search Head and it should take effect immediately.

Reply

HattrickNZ
Motivator
‎08-18-2015 12:03 PM

tks, my q was if 1 - i have uploaded the csv 2 - i have defined a lookup on the csv 3 - defined an auto lookup on 1 and 2. And then I decide I need to updatte the csv, in 1 above, then that is all i have to do by removing the old one and adding the new one, and I don't have to do any thing with 2 and 3 as they are now pointing at the newer csv?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-19-2015 06:46 AM

Correct, see my last line. You also need to refresh the KO out of your browser session cache.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2016 04:04 PM

Pick an answer that is best and click Accept to close it.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-17-2015 05:45 PM

Use this:
|inputlookup my_file | append [ subsearch that gives you the remaining new rows ] | outputlookup my_file

Basically this loads the content of your file, appends the result rows from the subsearch (should have the same column names) and saves everything in your file. Note that I keeped the same file name in both inputlookup and outputlookup.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

HattrickNZ
Motivator
‎08-17-2015 06:37 PM

tks, but i was more interested in add the rows to the existing csv file and the nuploading it again. I presume you are assuming all the values I want are already in splunk, this would not be the case.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-17-2015 07:30 PM

Ok then just replace then csv or edit and save. You don't need to change de lookup definitions if you keep the same field names.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...