how to use scripted input for refreshing lookup da...

desi · ‎08-24-2011

I have two files test1.csv and test2.csv. I indexed them in Splunk and then use them as lookup. These two files are refreshed everyday with updated data. What i want to do is refresh my lookups with new data in csv files. Here is what i came up with and put in refresh.bat files.

     generatetest1.csv
     generatetest2.csv
    ./splunk stop
    ./splunk clean eventdata -index test1_index -f
    ./splunk clean eventdata -index test2_index -f
    ./splunk start
    ./splunk add oneshot "C:\downloads\proto_data\csv\test1.csv" -sourcetype csv -index test1_index -rename-source test1  -auth admin:changeme
    ./splunk search "index=test1_index | outputlookup test1lookup.csv" -auth admin:changeme

./splunk add oneshot C:\downloads\proto_data\csv\test2.csv -sourcetype csv -index test2_index -rename-source test2  -auth admin:changeme
./splunk search "index=test2_index | outputlookup test2lookup.csv" -auth admin:changeme

I have two questions:

is this the right way to do?
if yes, how can i modify above script such that instead of calling generatetest1.csv and generatetest2.csv and creating test1.csv and test2.csv i can use scripted input and refresh my lookups.

thanks

melting · ‎08-24-2011

So there is actually a lookup search cmd which will use a csv for this purpose. If that doesn't work you can actually use a scripted lookup. Take a look at the docs. OR this blog post.

how to use scripted input for refreshing lookup data?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

how to use scripted input for refreshing lookup data?

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0