Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to test if a lookup does exist?

vagnet
Explorer
‎11-17-2022 09:11 AM

Hi Splunkers,

I want to create a macro that will be looking inside a lookup file, but in a way that will not break the search if the lookup is non-existent after some time.

Is there any equivalent of for example Linux known "test -f filename" in Splunk?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 10:22 AM

You can use REST to see if a lookup file exists

| rest splunk_server=local /services/admin/lookup-table-files/logins.csv | stats count

but SPL does not have branching commands so I'm not sure how it helps this use case.  Can you say more about the macro and what it will do if the lookup file doesn't exist?

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vagnet
Explorer
‎11-17-2022 10:59 AM

Thanks

 

The macro is responsible to find matching IPs between the lookup and the search. If the lookup does not exist, then the only thing I need is to not break the search, and that runs as normal.

You would wonder, in this case, why I have the lookup inside the search if not existing. The answer is scaling, as that lookup is placed on many searches, and editing them would be time consuming.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 01:09 PM

If this is part of a dashboard then I can see it working.  The dashboard runs the rest command at launch to see if the lookup file is present and sets a token based on its findings.  If the file was found then the token would contain the lookup command.  if the file was not found then the token would contain an eval that sets the field sought by the lookup to something like "No lookup available" or "N/A".  The query just needs to replace the existing lookup command with the token.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vagnet
Explorer
‎11-17-2022 02:33 PM

I see, sorry for not making it that clear!

The search is to be part of many alerts in my case and not dashboard

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...