Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

continuous monitor inputlookup file without inexing

surekhasplunk
Communicator
‎03-06-2018 02:03 AM

Hi,

I know it must be a very basic question but i need the best way rather than trying to find the best way.

I have developed my app and installed in splunk. It uses several lookup files which i have kept in app/lookups/ folder.
Now the lookup files will change some daily some monthly.
And i want a continuous monitor on those so that the latest file gets updated automatically and i get to see the latest data in the dashboards which are using command |inputlookup file bla bla to update the dashboards.

What is the best way to do this setup ?

can i just go ahead and add a script which will run daily and pull the data from a shared drive and add it to splunk lookup folders.
and if i do so do i need to restart splunk every time to reflect the changes
or do i have to run a forwarder where the files are sitting and forward them to splunk and get those files indexed?
As i dont want to change my queries . all my dashboard queries work fine and start with |inputlookup commands.

Tags (2)
0 Karma
Reply

livehybrid
Super Champion
‎03-06-2018 03:07 AM

If you are overwriting the existing lookup files in your app then you do not need to restart Splunk. When you do a lookup in Splunk (assuming it is a file-based lookup) it will take the data from within the file in your app/lookups folder.
The only thing to remember is to make sure the permissions are correct and the file can still be read by Splunk as I have seen cases where people run a cronjob as root that overwrites the file and prevents Splunk from reading it.
Let me know if you hit any problems!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top