Splunk Search

How to create a new lookup from my local machine to clustered environment using curl command?

vn_g
Path Finder

i have to upload the .csv file that gets generated on my local machine through a script to SH clustered environment using curl command

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

hi @vn_g,

You need to SCP the CSV file to one of the search head (to directory /opt/splunk/var/run/splunk/lookup_tmp/).

scp csv_file.csv user_name@splunk_server_ip:/opt/splunk/var/run/splunk/lookup_tmp/

Then use endpoint data/lookup-table-files/ to upload csv file to SH cluster:

curl -k -u admin:password https://splunk_server_ip:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/csv_file_name.csv -d name=scv_file_name.csv -d eai:appName=app_name -d eai:userName=user_name

If you don't provide eai:userName and eai:appName lookup file will be uploaded with global context means it can visible to all users and in all apps.

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @vn_g,

You need to SCP the CSV file to one of the search head (to directory /opt/splunk/var/run/splunk/lookup_tmp/).

scp csv_file.csv user_name@splunk_server_ip:/opt/splunk/var/run/splunk/lookup_tmp/

Then use endpoint data/lookup-table-files/ to upload csv file to SH cluster:

curl -k -u admin:password https://splunk_server_ip:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/csv_file_name.csv -d name=scv_file_name.csv -d eai:appName=app_name -d eai:userName=user_name

If you don't provide eai:userName and eai:appName lookup file will be uploaded with global context means it can visible to all users and in all apps.

 

If this reply helps you, an upvote/like would be appreciated.

 

0 Karma

vn_g
Path Finder

I have a question.

scping the csv file from local to SH , will be available for only that Searchhead in the lookup_tmp directory. And at this stage lookup is not available in UI and is lookup_tmp directory already available? Or we are suppose to create one?

And running the curl command would place the csv file as a lookup in all the searchheads and will be available in UI?

I work as a Splunk Developer not as an admin, so dont have access to Splunk SH.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

1. Directory lookup_tmp already exists on SHs. You don't need to create it.

2. You only need to run the curl command for the search head where you copy the CSV file. This will push the CSV file to all the search heads in the cluster.

3. Yes, the CSV file will be listed in the SH UI (lookups page) once you run the curl command.

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

vn_g
Path Finder

I can run the curl command from my local using admin credentials because i have access to Splunk UI as an admin , but i do not have access to copy my local file to Searchhead. What can be done in this case?

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Then why don't you upload CSV file directly using Splunk UI. Check this: https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Usefieldlookupstoaddinformationtoyourev...

 

0 Karma

vn_g
Path Finder

No, This is a weekly activity and a python script generates the file. So i want to run the curl command to upload the generated csv file automatically once a week. I have limited access ( i.e have admin access to Splunk UI dont have access to any of the Search Head servers. )

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Then, you need access to Search Head servers to copy the CSV file as the above curl command need csv file to be present on SH server (in /opt/splunk/var/run/splunk/lookup_tmp).

Thumbs up to the solution and replies are appreciated.

0 Karma

vn_g
Path Finder

ok Thankyou.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...