Splunk Search

How to test if a lookup does exist?

vagnet
Explorer

Hi Splunkers,

I want to create a macro that will be looking inside a lookup file, but in a way that will not break the search if the lookup is non-existent after some time.

Is there any equivalent of for example Linux known "test -f filename" in Splunk?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can use REST to see if a lookup file exists

| rest splunk_server=local /services/admin/lookup-table-files/logins.csv | stats count

but SPL does not have branching commands so I'm not sure how it helps this use case.  Can you say more about the macro and what it will do if the lookup file doesn't exist?

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

vagnet
Explorer

Thanks

 

The macro is responsible to find matching IPs between the lookup and the search. If the lookup does not exist, then the only thing I need is to not break the search, and that runs as normal.

You would wonder, in this case, why I have the lookup inside the search if not existing. The answer is scaling, as that lookup is placed on many searches, and editing them would be time consuming.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If this is part of a dashboard then I can see it working.  The dashboard runs the rest command at launch to see if the lookup file is present and sets a token based on its findings.  If the file was found then the token would contain the lookup command.  if the file was not found then the token would contain an eval that sets the field sought by the lookup to something like "No lookup available" or "N/A".  The query just needs to replace the existing lookup command with the token.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vagnet
Explorer

I see, sorry for not making it that clear!

The search is to be part of many alerts in my case and not dashboard

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...