Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to read content of refreshed csv file via lookup

sudeep5689
Explorer
‎05-16-2020 11:08 PM

Hi, i have configured a csv lookup in splunk. Now i want to change the content of csv file so that it gets updated in splunk lookup search. Is there a way to this

0 Karma
Reply

sanjeev543
Communicator
‎05-17-2020 01:33 AM

Hi,

There are few ways to perform this,

  1. Convert your file based lookup to kvstore, which helps you to change the content easy (https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/ConfigureKVstorelookups)
  2. Use lookup editor app to modify contents in the lookup (https://splunkbase.splunk.com/app/1724/)
  3. Write a search to modify the contents and update the samelookup |inputlookup abc.csv | <content modify search> | outputlookup abc.csv Your <content modify search> can be something like |eval <fieldname>=if(fieldname=="something","newvalue","oldvalue") etc., to update field such as fieldname values with the new content. Above logic varies based on your requirement, please check eval documentation here (https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/CommonEvalFunctions)
0 Karma
Reply

sudeep5689
Explorer
‎05-17-2020 01:45 AM

Thanks. My objective over here is that i am having some static content which i am loading into the csv file and then reading it using inputlookup. After updating the content curently i have to replace the file in splunk back again.

0 Karma
Reply

sanjeev543
Communicator
‎05-17-2020 02:41 AM

@sudeep5689 Yes, may be 2nd option or 3rd option works for you.
If my solution helps, please mark it as answered

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...