Splunk Search

How to update a global lookup file via REST API for a particular app in a search head cluster?

phoenixdigital
Builder

Hi All,

I have a Search Head Cluster and I am trying to update a global lookup file in a particular app, but am having no luck. I obviously cannot edit it directly as then it won't be replicated to the rest of the cluster.

So I found this example of editing a lookup via the REST API.
http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-fil...

And I adapted it to work with my app

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/mp-app/spool/prices.csv

It worked.... sort of. The only problem is it created a new lookup table in the admin's private directory

/opt/splunk/etc/users/admin/my-app/lookups/prices.csv

I wanted it to replace the one at

/opt/splunk/etc/apps/my-app/lookups/prices.csv

Screenshot of the aftermath with the green arrow the one I wanted to replace and the red arrow the one that was created.
http://imgur.com/UPOZJN6

I am obviously using the wrong REST API interface does anyone have any hints to where the right one is?

1 Solution

phoenixdigital
Builder

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

View solution in original post

0 Karma

phoenixdigital
Builder

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)
0 Karma

chasrini
New Member

Hi,

I also have a lookup as CSV in splunk. How to download the contents of csv. requests.get just return the response code which is 200.

0 Karma

efavreau
Motivator

@chasrini If you haven't found your answer elsewhere in Splunk Answer, please put in a question that stands on its own.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

phoenixdigital
Builder

Further tests show that this works.

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/my-app/spool/prices.csv

But now my Python script doesn't work even though it used to when it was only going to the admin user lookups

splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
# data = json.dumps({"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv" })
data = "/opt/splunk/etc/apps/my-app/spool/prices.csv"
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

Can't see any major PEBKAC issues here.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...