Splunk Search

How to create a new lookup from my local machine to clustered environment using curl command?

vn_g
Path Finder

i have to upload the .csv file that gets generated on my local machine through a script to SH clustered environment using curl command

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
Champion

hi @vn_g,

You need to SCP the CSV file to one of the search head (to directory /opt/splunk/var/run/splunk/lookup_tmp/).

scp csv_file.csv user_name@splunk_server_ip:/opt/splunk/var/run/splunk/lookup_tmp/

Then use endpoint data/lookup-table-files/ to upload csv file to SH cluster:

curl -k -u admin:password https://splunk_server_ip:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/csv_file_name.csv -d name=scv_file_name.csv -d eai:appName=app_name -d eai:userName=user_name

If you don't provide eai:userName and eai:appName lookup file will be uploaded with global context means it can visible to all users and in all apps.

 

If this reply helps you, an upvote/like would be appreciated.

 

View solution in original post

manjunathmeti
Champion

hi @vn_g,

You need to SCP the CSV file to one of the search head (to directory /opt/splunk/var/run/splunk/lookup_tmp/).

scp csv_file.csv user_name@splunk_server_ip:/opt/splunk/var/run/splunk/lookup_tmp/

Then use endpoint data/lookup-table-files/ to upload csv file to SH cluster:

curl -k -u admin:password https://splunk_server_ip:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/csv_file_name.csv -d name=scv_file_name.csv -d eai:appName=app_name -d eai:userName=user_name

If you don't provide eai:userName and eai:appName lookup file will be uploaded with global context means it can visible to all users and in all apps.

 

If this reply helps you, an upvote/like would be appreciated.

 

vn_g
Path Finder

I have a question.

scping the csv file from local to SH , will be available for only that Searchhead in the lookup_tmp directory. And at this stage lookup is not available in UI and is lookup_tmp directory already available? Or we are suppose to create one?

And running the curl command would place the csv file as a lookup in all the searchheads and will be available in UI?

I work as a Splunk Developer not as an admin, so dont have access to Splunk SH.

0 Karma

manjunathmeti
Champion

1. Directory lookup_tmp already exists on SHs. You don't need to create it.

2. You only need to run the curl command for the search head where you copy the CSV file. This will push the CSV file to all the search heads in the cluster.

3. Yes, the CSV file will be listed in the SH UI (lookups page) once you run the curl command.

 

If this reply helps you, an upvote/like would be appreciated.

vn_g
Path Finder

I can run the curl command from my local using admin credentials because i have access to Splunk UI as an admin , but i do not have access to copy my local file to Searchhead. What can be done in this case?

0 Karma

manjunathmeti
Champion

Then why don't you upload CSV file directly using Splunk UI. Check this: https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Usefieldlookupstoaddinformationtoyourev...

 

vn_g
Path Finder

No, This is a weekly activity and a python script generates the file. So i want to run the curl command to upload the generated csv file automatically once a week. I have limited access ( i.e have admin access to Splunk UI dont have access to any of the Search Head servers. )

0 Karma

manjunathmeti
Champion

Then, you need access to Search Head servers to copy the CSV file as the above curl command need csv file to be present on SH server (in /opt/splunk/var/run/splunk/lookup_tmp).

Thumbs up to the solution and replies are appreciated.

vn_g
Path Finder

ok Thankyou.

0 Karma
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...