Splunk Search

How to add lookup files manually?

isedrof
Engager

Hi Everybody,

I want to ask you, how we can add lookup files into Splunk manually? I'm working on a script that can do this, but the problem is when I do it manually, I don't get a result when I search, even with the same file that I add in Splunk Web.
Thank you.

Tags (3)
0 Karma
1 Solution

MuS
Legend

Hi isedrof,

you can do something like this in a script:

echo "foo,boo
a,1
b,2" > /opt/splunk/etc/system/lookups/lookup.csv

and use it like this in Splunk:

| inputlookup lookup.csv

this will be the result:

alt text

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi isedrof,

you can do something like this in a script:

echo "foo,boo
a,1
b,2" > /opt/splunk/etc/system/lookups/lookup.csv

and use it like this in Splunk:

| inputlookup lookup.csv

this will be the result:

alt text

Hope this helps ...

cheers, MuS

isedrof
Engager

like always u help me..thank you so much It works !

0 Karma

woodcock
Esteemed Legend

What do you mean by "manually"? If you mean as a result of a search, then you just add | outputlookup myLookupFileName. If you mean using ftp or DeploymentServer to put a file onto your Indexers, then, again, just put the file somewhere. In either case, you still have to define the lookup file before you can use it by adding an entry in Settings -> Lookups -> Lookup Definitions -> New. You may also have to adjust your permissions.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...