Solved: Can a lookup be recreated and use the existing loo...

leftinnerouter · ‎08-09-2022

The scenario is,

A lookup csv has become unreadable. A lookup definition exists for it.

The lookup was deleted and recreated. The existing definition was not changed.

My question is: Can a lookup be recreated and use the existing lookup definition?

bowesmana · ‎08-09-2022

I lookup definition just points to a CSV on the file system. If that CSV is broken in some way and 'replaced' on the file system, then the new one will be used. It may required the Splunk environment to be refreshed, there may be a caching issue there, but if you are unable to refresh the environment easily, then simply upload the new CSV and change the associated filename in the lookup definition to use the new CSV. In a clustered environment the lookup will need to be propagated between the search heads during replication.

View solution in original post

bowesmana · ‎08-09-2022

I lookup definition just points to a CSV on the file system. If that CSV is broken in some way and 'replaced' on the file system, then the new one will be used. It may required the Splunk environment to be refreshed, there may be a caching issue there, but if you are unable to refresh the environment easily, then simply upload the new CSV and change the associated filename in the lookup definition to use the new CSV. In a clustered environment the lookup will need to be propagated between the search heads during replication.

Can a lookup be recreated and use the existing lookup definition?

lookup

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24