Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

continuous monitor inputlookup file without inexing

surekhasplunk
Communicator
‎03-06-2018 02:03 AM

Hi,

I know it must be a very basic question but i need the best way rather than trying to find the best way.

I have developed my app and installed in splunk. It uses several lookup files which i have kept in app/lookups/ folder.
Now the lookup files will change some daily some monthly.
And i want a continuous monitor on those so that the latest file gets updated automatically and i get to see the latest data in the dashboards which are using command |inputlookup file bla bla to update the dashboards.

What is the best way to do this setup ?

can i just go ahead and add a script which will run daily and pull the data from a shared drive and add it to splunk lookup folders.
and if i do so do i need to restart splunk every time to reflect the changes
or do i have to run a forwarder where the files are sitting and forward them to splunk and get those files indexed?
As i dont want to change my queries . all my dashboard queries work fine and start with |inputlookup commands.

Tags (2)
0 Karma
Reply

livehybrid
Super Champion
‎03-06-2018 03:07 AM

If you are overwriting the existing lookup files in your app then you do not need to restart Splunk. When you do a lookup in Splunk (assuming it is a file-based lookup) it will take the data from within the file in your app/lookups folder.
The only thing to remember is to make sure the permissions are correct and the file can still be read by Splunk as I have seen cases where people run a cronjob as root that overwrites the file and prevents Splunk from reading it.
Let me know if you hit any problems!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top