Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to test if a lookup does exist?

vagnet
Explorer
‎11-17-2022 09:11 AM

Hi Splunkers,

I want to create a macro that will be looking inside a lookup file, but in a way that will not break the search if the lookup is non-existent after some time.

Is there any equivalent of for example Linux known "test -f filename" in Splunk?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 10:22 AM

You can use REST to see if a lookup file exists

| rest splunk_server=local /services/admin/lookup-table-files/logins.csv | stats count

but SPL does not have branching commands so I'm not sure how it helps this use case.  Can you say more about the macro and what it will do if the lookup file doesn't exist?

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vagnet
Explorer
‎11-17-2022 10:59 AM

Thanks

 

The macro is responsible to find matching IPs between the lookup and the search. If the lookup does not exist, then the only thing I need is to not break the search, and that runs as normal.

You would wonder, in this case, why I have the lookup inside the search if not existing. The answer is scaling, as that lookup is placed on many searches, and editing them would be time consuming.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 01:09 PM

If this is part of a dashboard then I can see it working.  The dashboard runs the rest command at launch to see if the lookup file is present and sets a token based on its findings.  If the file was found then the token would contain the lookup command.  if the file was not found then the token would contain an eval that sets the field sought by the lookup to something like "No lookup available" or "N/A".  The query just needs to replace the existing lookup command with the token.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vagnet
Explorer
‎11-17-2022 02:33 PM

I see, sorry for not making it that clear!

The search is to be part of many alerts in my case and not dashboard

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...