Thanks. I could do all of this outside Splunk, but I'm looking for something within Splunk (module, or even better, an SPL command) that would let users do it.
That kinda implies doing stuff like: https://splunkbase.splunk.com/app/1724 (which Damien mentioned)
Thanks, not really what I'm looking for though. Was hoping for something similar to dbquery, where I can create the actual lookup as part of my command, and update it that way as well. Don't want to use a gui to create the lookup (or than the actual spl command), don't want to create it/update it via curl at the OS layer. Want it all to work similar to dbquery, only using REST...
Doesn't sound like it's available (though, I will look at the utility listed below...)
An easy button it is you want (said like Yoda). 😉 Yea, looks like nothing currently available. Welcome to create it and post your first app! hint hint. lol
If the lookup file is "staged" on the Splunk instance (ie: you might have SCP'd it up) , you can then use :
Create
Modify
But you can't remotely upload a new lookup file with these REST endpoints , you'd need to create a Custom REST Endpoint to do this.
This app might interest you : https://apps.splunk.com/app/1724/
Can anyone explain why 2 years later there STILL isn't a better answer to this question? I shouldn't have to write a custom endpoint to do something as simple as upload a CSV file. If I have to push it to a staging area first, that's fine. Where's the REST endpoint for that? The UI has supported remote uploads ever since the lookups feature was first introduced. What's the deal? If this feature is being intentionally excluded can someone please explain why?
Hey @lowell, do you recall if ever a feature request was made for this? It might have not been addressed simply because of other items with higher customer demand taking the dev resources. If you have a feature request I can make sure a corresponding engineering request is in place thereby tracking this AND validating the customer demand.
@SloshBurch, Just sent in an enhancement request as case 448563. Anything you can do to promote would be greatly appreciated. Thanks.
Thanks! Found it. Following and making sure a JIRA gets requested.
Is there an easy way to upload a file into Splunk using custom visualization(file upload)?
@SloshBurch It's been a couple year, and I'm curious if there's any update you can share?
I've just asked for an update on the related JIRA item. It's still open and unassigned. Unfortunately, I don't have any more insight so I've asked if anyone else can share more information back over here. Thanks for your patience.
I do not have an official feature request in at this time. I was just surprised to see a few similar questions posted here, but no real movement in a few years. The additional complexity I haven't noted yet is that I need a solution that works with Search Head Clustering. I need to be able to consistently programmatically deploy a lookup file to all the members of the cluster. Ideally, I'd be able to not only push a new lookup, but cleanly replace an existing one.
I'll work with my client to get an enhancement request created.
Sanity Check: Are we all on the same page that lookups stay in sync in a SHC when used with generated with outputlookup, but not outputcsv. Right? Are we saying that when using the upload they do NOT stay in sync?
I've only been looking at outputlooup
because (1) I need an actual lookup, not just stored search results, and (2) The docs say that outputcsv
isn't supported on an SHC (not surprising)
I'm not aware of any issues with uploaded lookup tables. My complaint is that you can't upload it via splunkd (REST) directly, you have to do it via the UI. Which is less ideal from a programatic perspective.
Hi guys,
Can we push lookup table data from outside database(mongoDb lookukp collection) to splunk with splunk python sdk?
We have been pushing normal data to splunk with the help of third party JDBC unity drivers but now planning to push it with python splunk sdk. This case is possible and we know how to do it.
Problem is how can we push lookup data to splunk lookup tables instead of indexes.
@harry2007gsp - I might be over thinking it, but this might be better suited as a new post (queston) on the forum rather than as a comment like this. I want to make sure your question gets the attention it deserves...
If you do that, let us know the link to the post and we can jump on it there.
Yeah without ERs just because it's in Answers doesn't mean it will work its way up the priority chain.
The best solution to do it programmatically is use KVStore lookups which can be handled via rest API.
You can see it mentioned in conf 2016 talk:
https://conf.splunk.com/sessions/2016-sessions.html#
Shop Smart at the KV Store: Best Value Tricks from the Splunk KV Store and REST API
Understood. My primary use case is just updating simple (typically 100 lines or less, often less than 1 KB) lookup tables. And mostly I'm looking to do this in just TAs where I want to be able to dictate the exact content of the entire table, maintain them through version control, and so on. I agree that there are lots of other places where KVstore is the ideal solution.