continuous monitor inputlookup file without inexin...

surekhasplunk · ‎03-06-2018

Hi,

I know it must be a very basic question but i need the best way rather than trying to find the best way.

I have developed my app and installed in splunk. It uses several lookup files which i have kept in app/lookups/ folder.
Now the lookup files will change some daily some monthly.
And i want a continuous monitor on those so that the latest file gets updated automatically and i get to see the latest data in the dashboards which are using command |inputlookup file bla bla to update the dashboards.

What is the best way to do this setup ?

can i just go ahead and add a script which will run daily and pull the data from a shared drive and add it to splunk lookup folders.
and if i do so do i need to restart splunk every time to reflect the changes
or do i have to run a forwarder where the files are sitting and forward them to splunk and get those files indexed?
As i dont want to change my queries . all my dashboard queries work fine and start with |inputlookup commands.

livehybrid · ‎03-06-2018

If you are overwriting the existing lookup files in your app then you do not need to restart Splunk. When you do a lookup in Splunk (assuming it is a file-based lookup) it will take the data from within the file in your app/lookups folder.
The only thing to remember is to make sure the permissions are correct and the file can still be read by Splunk as I have seen cases where people run a cronjob as root that overwrites the file and prevents Splunk from reading it.
Let me know if you hit any problems!

continuous monitor inputlookup file without inexing

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases