Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to test if a lookup does exist?

vagnet
Explorer
‎11-17-2022 09:11 AM

Hi Splunkers,

I want to create a macro that will be looking inside a lookup file, but in a way that will not break the search if the lookup is non-existent after some time.

Is there any equivalent of for example Linux known "test -f filename" in Splunk?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 10:22 AM

You can use REST to see if a lookup file exists

| rest splunk_server=local /services/admin/lookup-table-files/logins.csv | stats count

but SPL does not have branching commands so I'm not sure how it helps this use case.  Can you say more about the macro and what it will do if the lookup file doesn't exist?

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vagnet
Explorer
‎11-17-2022 10:59 AM

Thanks

 

The macro is responsible to find matching IPs between the lookup and the search. If the lookup does not exist, then the only thing I need is to not break the search, and that runs as normal.

You would wonder, in this case, why I have the lookup inside the search if not existing. The answer is scaling, as that lookup is placed on many searches, and editing them would be time consuming.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 01:09 PM

If this is part of a dashboard then I can see it working.  The dashboard runs the rest command at launch to see if the lookup file is present and sets a token based on its findings.  If the file was found then the token would contain the lookup command.  if the file was not found then the token would contain an eval that sets the field sought by the lookup to something like "No lookup available" or "N/A".  The query just needs to replace the existing lookup command with the token.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vagnet
Explorer
‎11-17-2022 02:33 PM

I see, sorry for not making it that clear!

The search is to be part of many alerts in my case and not dashboard

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...