Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update a global lookup file via REST API for a particular app in a search head cluster?

phoenixdigital
Builder
‎03-01-2016 05:23 PM

Hi All,

I have a Search Head Cluster and I am trying to update a global lookup file in a particular app, but am having no luck. I obviously cannot edit it directly as then it won't be replicated to the rest of the cluster.

So I found this example of editing a lookup via the REST API.
http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-fil...

And I adapted it to work with my app

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/mp-app/spool/prices.csv

It worked.... sort of. The only problem is it created a new lookup table in the admin's private directory

/opt/splunk/etc/users/admin/my-app/lookups/prices.csv

I wanted it to replace the one at

/opt/splunk/etc/apps/my-app/lookups/prices.csv

Screenshot of the aftermath with the green arrow the one I wanted to replace and the red arrow the one that was created.
http://imgur.com/UPOZJN6

I am obviously using the wrong REST API interface does anyone have any hints to where the right one is?

Reply
1 Solution
Solved! Jump to solution
Solution

phoenixdigital
Builder
‎03-01-2016 06:47 PM

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phoenixdigital
Builder
‎03-01-2016 06:47 PM

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)
0 Karma
Reply
Solved! Jump to solution

chasrini
New Member
‎09-22-2019 06:22 PM

Hi,

I also have a lookup as CSV in splunk. How to download the contents of csv. requests.get just return the response code which is 200.

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎12-05-2019 12:16 PM

@chasrini If you haven't found your answer elsewhere in Splunk Answer, please put in a question that stands on its own.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎03-01-2016 06:13 PM

Further tests show that this works.

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/my-app/spool/prices.csv

But now my Python script doesn't work even though it used to when it was only going to the admin user lookups

splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
# data = json.dumps({"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv" })
data = "/opt/splunk/etc/apps/my-app/spool/prices.csv"
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

Can't see any major PEBKAC issues here.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...