While there isn't a CLI command line option, there is an environment variable you can set to pass an authentication token directly to the Splunk CLI. You can use the $SPLUNK_TOK variable for this. There is very little documentation on this, if any, but it allows you to use the CLI directly, without creating an auth token file. Similarly, you can also pass this token in on the Authorization header via a curl command to call arbitrary REST endpoints. Example below: #!/bin/bash # Make sure passAuth=user is setup in your scripted input stanza, or this script will hang waiting for input. read tok # Do whatever CLI call you want to do SPLUNK_TOK=$tok $SPLUNK_HOME/bin/splunk list forward-server # Or make whatever REST call via CURL, like so: curl -k -H "Authorization: Splunk $tok" https://localhost:8089/servicesNS/-/-/data/inputs/script # Or restart Splunkd, .... curl -k -H "Authorization: Splunk $tok" -X POST https://localhost:8089/services/server/control/restart ... All of southeringtonp's warnings about security still apply. It's possible for other processes to look at another processes env variable (in the case of the Splunk CLI), and to see the command line options (in the case of curl). However, this may be considered "safer" than writing auth tokens to the file system. One positive security note is that Splunk appears to expire the token after the script completes, so that should reduce the window for any potential abuse of these credentials for quick scripts. ... View more

This still works in recent version of Splunk. A few versions complained about this as an unknown configuration (not documented in the README), but it should have continued to work throughout various versions. ... View more

I've only been looking at outputlooup because (1) I need an actual lookup, not just stored search results, and (2) The docs say that outputcsv isn't supported on an SHC (not surprising) I'm not aware of any issues with uploaded lookup tables. My complaint is that you can't upload it via splunkd (REST) directly, you have to do it via the UI. Which is less ideal from a programatic perspective. ... View more

At the moment, I'm really just trying to deploy small changes to the lookups in various TAs. So it's not like I'm trying to sync the same file each time I make a change. ... View more

Yeah, I know what you mean. I'm looking at a similar problem and trying to figure out object promotion pathways. If you can do all your work in a dev environment and prohibit changes in production, that helps a bunch. (Assuming DEV is a non-SHC instance, lol.) However that's just not realistic. My current approach (not yet field tested) is to create 2 classes of objects: fully maintained (supported by the local Splunk admins/devs) which are version controlled, and user-created content which is "unofficial" and untracked. The first class would always be shared, and the second may be shared at the app level (preferably with just a small group a users). This means a few things must be done by the promoter (1) rename and cleanup objects when they become official, (2) make any such objects read-only (users can still copy a dashboard, for example, but under a different name), and (3) all official objects are pulled into git and changes must always be made via git (and therefore pushed via deployer) rather than being made within the live system. ... View more

Done! I've also requested that this problem be listed on the "Known Issues" page as the impact is significant. Not only do I consider this a bug, but it's a bug that causes more bugs! ... View more

@SloshBurch, Just sent in an enhancement request as case 448563. Anything you can do to promote would be greatly appreciated. Thanks. ... View more

I just thought it may be worth pointing out that the mvrex command which is implemented by the SA-cim_validator app may be something worth taking a look at. While the command itself doesn't deal with lookups, values pulled back from lookups are send through this command on at least one of the dashboards: https://github.com/hire-vladimir/SA-cim_validator/blob/master/bin/mvrex.py Anyways, the combo of regex within lookups is pretty rare. Thought this may give some future readers some ideas to think about. ... View more

Yeah, I've been using tricks like that to "manually edit" the lookup tables to match the lookups that I maintain on the deployer. It's a serious pain. Especially if you have to add a row. | inputlookup blah | append [ stats count | fields - count | eval first="harvey", last="thewonderhamster" ] | outputlookup blah Thanks for the feedback ... View more

Understood. My primary use case is just updating simple (typically 100 lines or less, often less than 1 KB) lookup tables. And mostly I'm looking to do this in just TAs where I want to be able to dictate the exact content of the entire table, maintain them through version control, and so on. I agree that there are lots of other places where KVstore is the ideal solution. ... View more

I do not have an official feature request in at this time. I was just surprised to see a few similar questions posted here, but no real movement in a few years. The additional complexity I haven't noted yet is that I need a solution that works with Search Head Clustering. I need to be able to consistently programmatically deploy a lookup file to all the members of the cluster. Ideally, I'd be able to not only push a new lookup, but cleanly replace an existing one. I'll work with my client to get an enhancement request created. ... View more

Can anyone explain why 2 years later there STILL isn't a better answer to this question? I shouldn't have to write a custom endpoint to do something as simple as upload a CSV file. If I have to push it to a staging area first, that's fine. Where's the REST endpoint for that? The UI has supported remote uploads ever since the lookups feature was first introduced. What's the deal? If this feature is being intentionally excluded can someone please explain why? ... View more

Um, doesn't setting this at search time have a pretty significant performance implication? Additionally, since data is stored in reverse TIME order (emphasis on time) in the index, this means that what your search pull back will be based on the initial _time field (as it was stored in the index) and NOT search-time extracted _time field shown above. I strongly recommend avoiding this solution. It's find if you want to extract it with some OTHER name, just don't use "_time". ... View more

Okay, so this adds a new field with the name of the transforms stanza ("search_foo_indexfields") with the value of either "a" or "b". Just confirmed it in the _meta field dumped out with exporttool. "... date_mday::25 date_zone::0 search_foo_indexfields::a" From the docs, it's not 100% clear if _KEY_x and _VAL_x is supported at index time, but it doesn't seem to be working. ... View more

I assume _KEY_! is a typo for _KEY_1 ? I was aware of that syntax, but didn't think it held any advantages here. (But I'll give it a try.) I haven't tried MV_ADD as the docs say, "This attribute is only valid for search-time field extractions." ... View more

@rich7177, where is the walk through? The link just points back to the same comment. ... View more

FYI, I've been unable to ingest the the analytic logs using the traditional WinEventLog input method. Apparently this is a known (designed in) limitation on Microsoft's part that applies to all Analytic and Debugging logs. When you attempt to ingest these logs, Splunk returns error MS Error code 15009. According to MSDN, "You cannot subscribe to an Analytic or Debug channel; the events for an Analytic or Debug channel go directly to a log file and cannot be subscribed to." The Splunk Stream option sounds interesting. Does anyone know how complicated it would be to take that feed an make it CIM compliant with the goal of Enterprise Security integration. ... View more

I'd like to avoid on transforms stanza per field if possible. My real use case has more than just 4 fields. (Not an unmanageable number, just seems like the has to be a better solution.) I'm pretty sure the backslash escaping is happing automatically by the summary indexing plumbing commands (I'm just using the defaults builtin alert actions for summary indexing) And in fact, I'm already dealing with escaped backlashes in part of my search, so I know the've been taken care of in my base search. And yes I could remove them at search time, but since I'm in control of the data generation, it seems silly to deal with something in every search I write, if I could fix the issue once when the data is written. ... View more

Note that when you attempt to point WinEventLog input to an .etl file, you end up with the following error: WinEventLogChannel::init: Init failed, unable to subscribe to the Windows Event Log channel 'microsoft-windows-dnsserver/analytical': errorCode=15009 . According to MSDN, 15009 means ERROR_EVT_SUBSCRIPTION_TO_DIRECT_CHANNEL. "You cannot subscribe to an Analytic or Debug channel; the events for an Analytic or Debug channel go directly to a log file and cannot be subscribed to." Not sure what that means exactly, but sounds like a bad day. I too confirmed that converting from the .etl log format to .evtx doesn't make the problem go away. ... View more

For anyone interested, here's my shell script that I used to (1) monitor disk usage of the searchpeers folder and (2) cleanup any (unused) artifacts older than 24 hours. I find it frustrating that Splunk isn't "doing the right thing" out of the box. But I'm not above workaround scripts when necessary. So here goes. Note that I ran into some issues with timing on my system due to the massive volume of these files by the time I found and attempted to correct the issue. (The searhpeers folder was over 1TB, and took over 12 hours to delete.) Hence the time checks around the du and the directory related rm . The other thing of note is that I check the "active_tokens" in the bundles before deleting them. I created this to run as a scripted input. As always, "use at your own risk" and "your millage may vary", ... Code listing for searchpeers.sh : #!/bin/sh MAX_HOURS=24 test -d $SPLUNK_HOME/var/run/searchpeers || exit links=$(stat $SPLUNK_HOME/var/run/searchpeers/ -c %h 2>/dev/null) if [ $links -lt 3 ] then # Empty directory. Not a search peer?... Nothing to do. exit fi start=$(date +"%s.%3N") size_mb=$(du -sm $SPLUNK_HOME/var/run/searchpeers | cut -f1) full_bundle=$(find $SPLUNK_HOME/var/run/searchpeers -maxdepth 1 -mindepth 1 -type f -name '*.bundle' | wc -l) delta_bundle=$(find $SPLUNK_HOME/var/run/searchpeers -maxdepth 1 -mindepth 1 -type f -name '*.delta' | wc -l) tmp_folders=$(find $SPLUNK_HOME/var/run/searchpeers -maxdepth 1 -mindepth 1 -type d -name '*.tmp' | wc -l) bundle_folders=$(find $SPLUNK_HOME/var/run/searchpeers -maxdepth 1 -mindepth 1 -type d \! -name '*.tmp' | wc -l) end=$(date +"%s.%3N") total=$(echo "$end - $start" | bc) echo "$(date) searchpeers_total_mb=$size_mb full_bundle=$full_bundle delta=$delta_bundle tmp=$tmp_folders bundle_folders=$bundle_folders collection_sec=$total" if [ $bundle_folders -ge 5 ] then # Do cleanup, if necessary find $SPLUNK_HOME/var/run/searchpeers -maxdepth 1 -mindepth 1 -type d -mmin +$[$MAX_HOURS * 60] | ( while read bundle do #echo Looking at directory $bundle alive_searches=$(find $bundle/alive_tokens -type p | wc -l) if [ $alive_searches -eq 0 ] then echo "$(date) Removing old unused bundle: $bundle" start=$(date +"%s.%3N") rm -rf "$bundle" end=$(date +"%s.%3N") total=$(echo "$end - $start" | bc) echo "$(date) Removed bundle=$(basename $bundle) seconds=$total" else echo "$(date) Bundle $bundle still in use by $alive_searches searches. Not removing it." fi done ) find $SPLUNK_HOME/var/run/searchpeers -maxdepth 1 -mindepth 1 -type f -mmin +$[$MAX_HOURS * 60] | \ while read f do echo "$(date) removing old bundle file: $f" rm -f "$f" done fi ... View more

BTW, this patch does NOT fix the fact that some indexers still have the "searchpeers" folder growing uncontrollably. So I'm posting my own script here for anyone else running into a similar issue. ... View more

FYI. From support: SPL-133450: 6.5+ splunk does full bundle replication everytime - slowing down the system This will be fixed in Splunk 6.5.2 (should be available by the end of the month) however, if you are interested we do have a incremental patch to address this issue that is not publicly available. ... View more