Splunk Search

How to set up a csv lookup file I update daily to be referenced by searches without having to redefine it?

lbogle
Contributor

Hello Splunkers,
Question: I have a lookup working properly on a .csv file but I appear to have correctly assumed that once I define the lookup file and then I update the lookup file with the day's fresh copy, my Splunk searches would automatically reference the new .csv file without me having to redefine it. This appears to not be the case.
Is this possible to setup? Should I be using Automatic Lookups or will I need to redefine the lookup file every time I have a new .csv to reference?
Thanks!

Tags (3)
0 Karma

lbogle
Contributor

Okay, thanks for your assistance.

0 Karma

aholzer
Motivator

Splunk makes a local copy of any csv you use in a lookup, so you'll have to update the local copy on the Splunk server if you are going to do it that way.

If the updated csv is the result of a search, may I suggest you look into the outputlookup command, and simply overwrite or append to your existing lookup.

0 Karma

lbogle
Contributor

Thanks for the reply, AH.
The .csv file is not the result of a search.
So Splunk does not have the capability to update the local copy of the .csv file at all unless I manually re-add it, is that corect? What is an automatic lookup?
Thanks!

0 Karma

aholzer
Motivator

You know the "lookup" command right? it's basically a join against a lookup table. An automatic lookup, you define against a sourcetype / source and will do this join automatically without the need for the lookup command in your search. It has nothing to do with updating the lookup content.

0 Karma

lbogle
Contributor

Okay, thanks for your assistance.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...