Hi,
I have a CSV file which is dynamically updated by a Macro (every 7 mins). This csv file is used as a inputlookup to search a list of domains in SPLUNK.
Currently, if I have to update the csv file in SPLUNK, I need to delete the existing csv file stored in splunk and manually upload the Macro updated csv file.
Please let me know if this process can be automated.
Note: The csv is stored in Manager» Lookups» Lookup table files.
Regards,
Santhosh
Hello
If it is a file that is beign updated continuosly, probably it would be better to simply index the file everytime it changes. So using a UF an a monitor stanza you will index the file everytime it changes maybe yo need to use CHECK_METHOD = modtime in your props.conf).
Then you can use the indexed data to do the lookup, using join command for example
EDIT: Take a look at this:
https://wiki.splunk.com/Dynamically_Editing_Lookup_Tables
Regards