Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update a global lookup file via REST API for a particular app in a search head cluster?

phoenixdigital
Builder
‎03-01-2016 05:23 PM

Hi All,

I have a Search Head Cluster and I am trying to update a global lookup file in a particular app, but am having no luck. I obviously cannot edit it directly as then it won't be replicated to the rest of the cluster.

So I found this example of editing a lookup via the REST API.
http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-fil...

And I adapted it to work with my app

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/mp-app/spool/prices.csv

It worked.... sort of. The only problem is it created a new lookup table in the admin's private directory

/opt/splunk/etc/users/admin/my-app/lookups/prices.csv

I wanted it to replace the one at

/opt/splunk/etc/apps/my-app/lookups/prices.csv

Screenshot of the aftermath with the green arrow the one I wanted to replace and the red arrow the one that was created.
http://imgur.com/UPOZJN6

I am obviously using the wrong REST API interface does anyone have any hints to where the right one is?

Reply
1 Solution
Solved! Jump to solution
Solution

phoenixdigital
Builder
‎03-01-2016 06:47 PM

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phoenixdigital
Builder
‎03-01-2016 06:47 PM

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)
0 Karma
Reply
Solved! Jump to solution

chasrini
New Member
‎09-22-2019 06:22 PM

Hi,

I also have a lookup as CSV in splunk. How to download the contents of csv. requests.get just return the response code which is 200.

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎12-05-2019 12:16 PM

@chasrini If you haven't found your answer elsewhere in Splunk Answer, please put in a question that stands on its own.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

phoenixdigital
Builder
‎03-01-2016 06:13 PM

Further tests show that this works.

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/my-app/spool/prices.csv

But now my Python script doesn't work even though it used to when it was only going to the admin user lookups

splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
# data = json.dumps({"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv" })
data = "/opt/splunk/etc/apps/my-app/spool/prices.csv"
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

Can't see any major PEBKAC issues here.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...