Hi,
I know it must be a very basic question but i need the best way rather than trying to find the best way.
I have developed my app and installed in splunk. It uses several lookup files which i have kept in app/lookups/ folder.
Now the lookup files will change some daily some monthly.
And i want a continuous monitor on those so that the latest file gets updated automatically and i get to see the latest data in the dashboards which are using command |inputlookup file bla bla to update the dashboards.
What is the best way to do this setup ?
can i just go ahead and add a script which will run daily and pull the data from a shared drive and add it to splunk lookup folders.
and if i do so do i need to restart splunk every time to reflect the changes
or do i have to run a forwarder where the files are sitting and forward them to splunk and get those files indexed?
As i dont want to change my queries . all my dashboard queries work fine and start with |inputlookup commands.
If you are overwriting the existing lookup files in your app then you do not need to restart Splunk. When you do a lookup in Splunk (assuming it is a file-based lookup) it will take the data from within the file in your app/lookups
folder.
The only thing to remember is to make sure the permissions are correct and the file can still be read by Splunk as I have seen cases where people run a cronjob as root that overwrites the file and prevents Splunk from reading it.
Let me know if you hit any problems!