Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

continuous monitor inputlookup file without inexing

surekhasplunk
Communicator
‎03-06-2018 02:03 AM

Hi,

I know it must be a very basic question but i need the best way rather than trying to find the best way.

I have developed my app and installed in splunk. It uses several lookup files which i have kept in app/lookups/ folder.
Now the lookup files will change some daily some monthly.
And i want a continuous monitor on those so that the latest file gets updated automatically and i get to see the latest data in the dashboards which are using command |inputlookup file bla bla to update the dashboards.

What is the best way to do this setup ?

can i just go ahead and add a script which will run daily and pull the data from a shared drive and add it to splunk lookup folders.
and if i do so do i need to restart splunk every time to reflect the changes
or do i have to run a forwarder where the files are sitting and forward them to splunk and get those files indexed?
As i dont want to change my queries . all my dashboard queries work fine and start with |inputlookup commands.

Tags (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-06-2018 03:07 AM

If you are overwriting the existing lookup files in your app then you do not need to restart Splunk. When you do a lookup in Splunk (assuming it is a file-based lookup) it will take the data from within the file in your app/lookups folder.
The only thing to remember is to make sure the permissions are correct and the file can still be read by Splunk as I have seen cases where people run a cronjob as root that overwrites the file and prevents Splunk from reading it.
Let me know if you hit any problems!

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...