updating csv file periodically

splunkuseradmin · ‎03-25-2019

Hello everybody,

I wanted to know what are the possible ways we can update lookup.csv file. I know,
1 . through manually uploading from lookup editor and update manually edit fields using same lookup editor.

I wanted to upload csv through lookup editor once, then setup a file to update every week. so that i can access from my splunk
cluster and "index=collab_core".

can any 1 suggest a easy or possible steps to solve this.

thanks

MuS · ‎03-25-2019

Hi splunkuseradmin,

find a detailed answer how it can be done here : https://answers.splunk.com/answers/708473/how-do-you-update-a-lookup-table-manually-in-a-dis.html#an...

There is also an option to use SPL in combination with | inputlookup append=t ... | ... | outputlookup ... to update the lookup file using event data in Splunk itself.

Hope this helps ...

cheers, MuS

splunkuseradmin · ‎03-25-2019

I am not getting any logs or event data to update the file.
The file we have is we getting that from some other external source, which contains employees details and then uploading the file in splunk and wants to update periodically

MuS · ‎03-26-2019

Well in this case, the easiest option is to simply replace the lookup file with the newer version on the file system of the Splunk instance itself.

updating csv file periodically

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?