Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update a lookup periodically?

CYBR_AH
Explorer
‎12-27-2015 10:05 PM

Hi All,

I'm wondering what would be the best way to download the latest CSV from http://cyberthreatalliance.org/cryptowall-dashboard.html

This site has information on the latest Cryptowall information (URL, IPs, Hashes, etc). I'd like to download the csv maybe once a month and update/replace the existing lookup. What would be the best way to do that? Also, would this cause any issues?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-27-2015 10:24 PM

Your question is too general to answer for splunk. However, you can update your lookup files using a scheduler.

Run a scheduled script every month and download the details to lookup location of splunk , for eg: in linux use a script to run a curl command. It's recommended to take a back up of your previous file before updating it.

In case you want the data to be indexed instead of lookup, use splunk's input method with custom scripts.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-29-2015 07:27 AM

You need the GetWatchList app:
https://splunkbase.splunk.com/app/635/

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎12-28-2015 07:45 AM

Once you know the location of the csv lookup on disk $SPLUNK_HOME/etc/apps/myapp/lookups/mylookup.csv
you can :

  • create a script to replace the file. It can be done while splunk is running.
  • or index the new csv file, and schedule a splunk search to
    • 1) return the results (in the correct field order)
    • 2) use the command "| outputlookup " to overwrite the existing lookup with the results.

see http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Outputlookup

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-27-2015 10:24 PM

Your question is too general to answer for splunk. However, you can update your lookup files using a scheduler.

Run a scheduled script every month and download the details to lookup location of splunk , for eg: in linux use a script to run a curl command. It's recommended to take a back up of your previous file before updating it.

In case you want the data to be indexed instead of lookup, use splunk's input method with custom scripts.

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...