I would like to create a REST endpoint that will allow me to to automate the uploading and updating of a csv lookup file daily.
Is it possible to create such an endpoint and what would be the process to achieve this?
There is a similar question to this, but it has no accepted answer.
Thank you in advance.
I have been trying to run the example you have provided and I keep getting the same error. I then ran the GET example to see if it would run but I got the same output.
C:\Users\Aaron>curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-file s curl: (56) Received HTTP code 403 from proxy after CONNECT
I could not find anything in the Splunk answers that referenced the 403 code that refers to this issue
403 is forbidden/unauthorized so it might be that you have the wrong username and password in the curl command. Make sure you're not actually using
admin:pass but instead putting your credentials there. If still same issue, then try the global scope by replacing the user and app name:
I was having some access issues but I was finally able to run the POST command. I am getting a response which is good, but I am unable to write to the file. I first tried it with the command that you linked me too and I got an 'object does not exist' error. Then I added the a blank csv to the apps lookups folder "C:\Program Files\Splunk\etc\apps\search\lookups" on the splunk instance and tried it again and that is when I got the 'Data cannot be written error'.
C:\Users\Aaron>curl -k -u admin:pass https://10.10.10.10:8089/servicesNS/admin/search/data/lookup-table- files/lookup.csv -d eai:data=C:/Aaron/Splunk/RESTlookupTest/TestLookup.csv <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR"> In handler 'lookup-table-files': An object with name=lookup.csv does not exist</msg> </messages> </response>
C:\Users\Aaron>curl -k -u admin:pass https://10.10.10.10:8089/servicesNS/admin/search/data/lookup-table- files/TestLookup.csv -d eai:data=C:/Aaron/Splunk/RESTlookupTest/TestLookup.csv <?xml version="1.0" encoding="UTF-8"?> <response> <messages> <msg type="ERROR"> In handler 'lookup-table-files': Data could not be written: /admin/search/lookups/TestLookup.csv: C:/Aaron/ Splunk/RESTlookupTest/TestLookup.csv</msg> </messages> </response>
Can you actually try this endpoint? I believe this is the endpoint to create a new lookup (other one was for updating the data for existing lookup).
So basically run this
C:\Users\Aaron>curl -k -u admin:pass https://10.10.10.10:8089/servicesNS/admin/search/data/lookup-table- files -d eai:data=C:/Aaron/Splunk/RESTlookupTest/TestLookup.csv -d name=TestLookup.csv