If the lookup file is "staged" on the Splunk instance (ie: you might have SCP'd it up) , you can then use :
But you can't remotely upload a new lookup file with these REST endpoints , you'd need to create a Custom REST Endpoint to do this.
This app might interest you : https://apps.splunk.com/app/1724/
Can anyone explain why 2 years later there STILL isn't a better answer to this question? I shouldn't have to write a custom endpoint to do something as simple as upload a CSV file. If I have to push it to a staging area first, that's fine. Where's the REST endpoint for that? The UI has supported remote uploads ever since the lookups feature was first introduced. What's the deal? If this feature is being intentionally excluded can someone please explain why?
Hey @lowell, do you recall if ever a feature request was made for this? It might have not been addressed simply because of other items with higher customer demand taking the dev resources. If you have a feature request I can make sure a corresponding engineering request is in place thereby tracking this AND validating the customer demand.
I do not have an official feature request in at this time. I was just surprised to see a few similar questions posted here, but no real movement in a few years. The additional complexity I haven't noted yet is that I need a solution that works with Search Head Clustering. I need to be able to consistently programmatically deploy a lookup file to all the members of the cluster. Ideally, I'd be able to not only push a new lookup, but cleanly replace an existing one.
I'll work with my client to get an enhancement request created.
Yeah without ERs just because it's in Answers doesn't mean it will work its way up the priority chain.
The best solution to do it programmatically is use KVStore lookups which can be handled via rest API.
You can see it mentioned in conf 2016 talk:
Shop Smart at the KV Store: Best Value Tricks from the Splunk KV Store and REST API
Understood. My primary use case is just updating simple (typically 100 lines or less, often less than 1 KB) lookup tables. And mostly I'm looking to do this in just TAs where I want to be able to dictate the exact content of the entire table, maintain them through version control, and so on. I agree that there are lots of other places where KVstore is the ideal solution.
I've only been looking at
outputlooup because (1) I need an actual lookup, not just stored search results, and (2) The docs say that
outputcsv isn't supported on an SHC (not surprising)
I'm not aware of any issues with uploaded lookup tables. My complaint is that you can't upload it via splunkd (REST) directly, you have to do it via the UI. Which is less ideal from a programatic perspective.
Can we push lookup table data from outside database(mongoDb lookukp collection) to splunk with splunk python sdk?
We have been pushing normal data to splunk with the help of third party JDBC unity drivers but now planning to push it with python splunk sdk. This case is possible and we know how to do it.
Problem is how can we push lookup data to splunk lookup tables instead of indexes.