Splunk Search
Highlighted

Can you create/modify a lookup file via REST API?

Champion

Hi,

Is it possible to create/modify a lookup file via Splunk's REST API? I don't see anything that addresses this functionality (which, in my mind, is a big hole).

Tags (3)
Highlighted

Re: Can you create/modify a lookup file via REST API?

Ultra Champion

If the lookup file is "staged" on the Splunk instance (ie: you might have SCP'd it up) , you can then use :

Create

http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-fil...

Modify

http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-fil...

But you can't remotely upload a new lookup file with these REST endpoints , you'd need to create a Custom REST Endpoint to do this.

This app might interest you : https://apps.splunk.com/app/1724/

Highlighted

Re: Can you create/modify a lookup file via REST API?

Super Champion

Can anyone explain why 2 years later there STILL isn't a better answer to this question? I shouldn't have to write a custom endpoint to do something as simple as upload a CSV file. If I have to push it to a staging area first, that's fine. Where's the REST endpoint for that? The UI has supported remote uploads ever since the lookups feature was first introduced. What's the deal? If this feature is being intentionally excluded can someone please explain why?

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

Ultra Champion

Hey @lowell, do you recall if ever a feature request was made for this? It might have not been addressed simply because of other items with higher customer demand taking the dev resources. If you have a feature request I can make sure a corresponding engineering request is in place thereby tracking this AND validating the customer demand.

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

Super Champion

I do not have an official feature request in at this time. I was just surprised to see a few similar questions posted here, but no real movement in a few years. The additional complexity I haven't noted yet is that I need a solution that works with Search Head Clustering. I need to be able to consistently programmatically deploy a lookup file to all the members of the cluster. Ideally, I'd be able to not only push a new lookup, but cleanly replace an existing one.

I'll work with my client to get an enhancement request created.

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

SplunkTrust
SplunkTrust

Yeah without ERs just because it's in Answers doesn't mean it will work its way up the priority chain.
The best solution to do it programmatically is use KVStore lookups which can be handled via rest API.

You can see it mentioned in conf 2016 talk:
https://conf.splunk.com/sessions/2016-sessions.html#
Shop Smart at the KV Store: Best Value Tricks from the Splunk KV Store and REST API

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

Super Champion

Understood. My primary use case is just updating simple (typically 100 lines or less, often less than 1 KB) lookup tables. And mostly I'm looking to do this in just TAs where I want to be able to dictate the exact content of the entire table, maintain them through version control, and so on. I agree that there are lots of other places where KVstore is the ideal solution.

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

Ultra Champion

Sanity Check: Are we all on the same page that lookups stay in sync in a SHC when used with generated with outputlookup, but not outputcsv. Right? Are we saying that when using the upload they do NOT stay in sync?

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

Super Champion

I've only been looking at outputlooup because (1) I need an actual lookup, not just stored search results, and (2) The docs say that outputcsv isn't supported on an SHC (not surprising)

I'm not aware of any issues with uploaded lookup tables. My complaint is that you can't upload it via splunkd (REST) directly, you have to do it via the UI. Which is less ideal from a programatic perspective.

0 Karma
Highlighted

Re: Can you create/modify a lookup file via REST API?

Path Finder

Hi guys,
Can we push lookup table data from outside database(mongoDb lookukp collection) to splunk with splunk python sdk?

We have been pushing normal data to splunk with the help of third party JDBC unity drivers but now planning to push it with python splunk sdk. This case is possible and we know how to do it.

Problem is how can we push lookup data to splunk lookup tables instead of indexes.

0 Karma