Getting Data In

Monitoring a file in $SPLUNKHOME/etc/apps/search/lookups

mcm10285
Communicator

Does splunk read $SPLUNKHOME/etc/apps/search/lookups in a special manner? I placed a csv file in that directory of a search head to be monitored and it seems like it is not being indexed, or at least it's not searchable. Using it as an inputlookup works though. I want to monitor that file and use it in a form search, an inventory search.

Checked /var/log/splunk/splunkd.log, below is the only log found on the directory/path where the file is:

INFO TailingProcessor - Parsing configuration stanza: monitor:///splunksearches/SH/etc/apps/search/lookups/filename.csv

INFO TailingProcessor - Adding watch on path:///splunksearches/SH/etc/apps/search/lookups/filename.csv

Tags (2)
0 Karma

mcm10285
Communicator

somewhow this just worked..might have been a delayed indexing...

0 Karma

lukejadamec
Super Champion

Using tail for a one time file index routine is not the best way to go about it.
Try it from the commandline - see this post
splunk-base.splunk.com/answers/6922/how-to-ask-splunk-to-index-a-file-using-the-cli

0 Karma

mcm10285
Communicator

tried the CLI and returned the message below

In handler 'monitor': Cannot create another input with the name "/splunksearches/SH/etc/apps/search/lookups/IP_Blocklist.csv", one already exists.

However, when I checked, the data is already indexed. Wonder how long it took.

Thanks for the suggestions anyway.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Start your search with inputlookup, that'll give you the file in Splunk to continue your search:

| inputlookup file_name | search something or other

mcm10285
Communicator

I don't. I just placed a file in the lookups folder and I want to index that.

Input lookup needs a search against it. I need to search on the file itself.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Why would you index a lookup? If you want to start searches with that data, just use inputlookup.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...