Splunk Search

How to update a global lookup file via REST API for a particular app in a search head cluster?

phoenixdigital
Builder

Hi All,

I have a Search Head Cluster and I am trying to update a global lookup file in a particular app, but am having no luck. I obviously cannot edit it directly as then it won't be replicated to the rest of the cluster.

So I found this example of editing a lookup via the REST API.
http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTknowledge#POST_data.2Flookup-table-fil...

And I adapted it to work with my app

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/mp-app/spool/prices.csv

It worked.... sort of. The only problem is it created a new lookup table in the admin's private directory

/opt/splunk/etc/users/admin/my-app/lookups/prices.csv

I wanted it to replace the one at

/opt/splunk/etc/apps/my-app/lookups/prices.csv

Screenshot of the aftermath with the green arrow the one I wanted to replace and the red arrow the one that was created.
http://imgur.com/UPOZJN6

I am obviously using the wrong REST API interface does anyone have any hints to where the right one is?

1 Solution

phoenixdigital
Builder

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

View solution in original post

0 Karma

phoenixdigital
Builder

Whew. OK Resolved!!!!

My definition of data was off. Not sure how it worked previously though with admin user???

import json
import csv
import requests


splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
data = {"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv"}
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)
0 Karma

chasrini
New Member

Hi,

I also have a lookup as CSV in splunk. How to download the contents of csv. requests.get just return the response code which is 200.

0 Karma

efavreau
Motivator

@chasrini If you haven't found your answer elsewhere in Splunk Answer, please put in a question that stands on its own.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

phoenixdigital
Builder

Further tests show that this works.

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/my-app/data/lookup-table-files/prices.csv -d eai:data=/opt/splunk/etc/apps/my-app/spool/prices.csv

But now my Python script doesn't work even though it used to when it was only going to the admin user lookups

splunkApp = "my-app"
splunkUser = "admin"
splunkPwd = "changeme"
splunkURI = "https://localhost:8089/servicesNS/nobody/%s/data/lookup-table-files" % splunkApp
lookupName = "station_start_stop_prices.csv"
lookupUpdateURI = "%s/%s" % (splunkURI, lookupName)

headers = {'Content-Type': 'application/json'}
# data = json.dumps({"eai:data" : "/opt/splunk/etc/apps/my-app/spool/prices.csv" })
data = "/opt/splunk/etc/apps/my-app/spool/prices.csv"
r = requests.post(lookupUpdateURI, data, auth=(splunkUser, splunkPwd), verify=False, headers=headers)

Can't see any major PEBKAC issues here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...