Solved: How to download existing lookup file? and how to a...

pacifikn · ‎12-11-2019

How to download existing lookup file? and how to add new row and modify existing lookup file table?

alonsocaio · ‎12-11-2019

If the new row you need to add will be composed by some search result you can use something like:

| inputlookup my_lookup.csv
| YOUR SEARCH HERE
| outputlookup my_lookup.csv append=true

There is also an app on Splunk Base that allows you to edit lookup files: https://splunkbase.splunk.com/app/1724/

Usually lookup files are stored on $SPLUNK_HOME/etc/system/lookups/ or $SPLUNK_HOME/etc/<app_name>/lookups/. From there you can also copy the files or edit them.

One other way you can use to download your lookup files is to use | inputlookup and then go to Export > CSV.

View solution in original post

alonsocaio · ‎12-11-2019

If the new row you need to add will be composed by some search result you can use something like:

| inputlookup my_lookup.csv
| YOUR SEARCH HERE
| outputlookup my_lookup.csv append=true

There is also an app on Splunk Base that allows you to edit lookup files: https://splunkbase.splunk.com/app/1724/

Usually lookup files are stored on $SPLUNK_HOME/etc/system/lookups/ or $SPLUNK_HOME/etc/<app_name>/lookups/. From there you can also copy the files or edit them.

One other way you can use to download your lookup files is to use | inputlookup and then go to Export > CSV.

to4kawa · ‎12-11-2019

How to update a lookup periodically?

How to download existing lookup file? and how to add new row and modify existing lookup file table?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies