Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

LookUp Files Issues

zacksoft
Contributor
‎12-17-2019 02:13 AM

I have a lookup file called PriceFactot.csv. I have defined this lookup table and then in query I use
| inputlookup PriceFactor.csv and get my data.

The thing is, PriceFactor.csv's content changes twice a day. SO each time I have to upload/define the new lookup in splunk , or else in the query in shows me stale data.

Is there anyway to make Splunk to keep reading the lookup file or dynamically update itself etc...or any other suggestion??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2019 02:24 AM

Hi @zacksoft,
you have to schedule a search to automatically update your lookup e.g. twice in a day.
You can do it scheduling the lookup update search (the one finishing with outputlookup PriceFactor.csv) as an alert (running e.g. at 7.00 and 13.00) so you'll automatically have your lookup updated.

If you have many records in you lookup, you could also think to use a summary index instead a lookup to update in the same way.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2019 02:24 AM

Hi @zacksoft,
you have to schedule a search to automatically update your lookup e.g. twice in a day.
You can do it scheduling the lookup update search (the one finishing with outputlookup PriceFactor.csv) as an alert (running e.g. at 7.00 and 13.00) so you'll automatically have your lookup updated.

If you have many records in you lookup, you could also think to use a summary index instead a lookup to update in the same way.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎12-17-2019 02:30 AM

The lookup contents are externally updated by another program. I don't have control over it. And the look up is placed in a windows drive folder. What I am looking for is, to read the lookup automatically so that I can get the updated contents.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2019 02:45 AM

Hi @zacksoft,
as I said, you have:

  • to read the csv file using a Universal Forwarder (if it's located in a different server than the Indexer) or the monitor function of the Indexer (if it's located in the Indexer);
  • schedule a search to create your lookup.

Only one question: when you read the content of the csv, you add records to the lookup or override it?
because, if you override it you could think to don't use the lookup but store the csv in an index and run a simple search on this index: in this way you'll have always updated data.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎12-17-2019 02:50 AM

Thanks @gcusello . It overrides. It doesn't add records.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-17-2019 03:20 AM

Hi @zacksoft,
check what's the execution time and the number of results: if the search isn't heavy and you have less that 50,000 results, you can use it in your searches.
Anyway, you can schedule the search to populate the lookup.

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...