Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I update a CSV lookup file with more rows and how will this affect existing csv files and lookups?

HattrickNZ
Motivator
‎08-17-2015 05:29 PM

Looking at understanding better how lookups work in Splunk.

As I understand it, there are 3 steps:
1. lookup table files - basically you add your *.csv file

2. lookup definitions - name your lookup definition and link it to the above *.csv file
3. Automatic lookups - this is where you do you mapping from the fields that are already in splunk with the fields in your *.csv

What I want to know specifically is as follows:
If i had a lookup that was working fine off a csv file that only had X number of rows, lets say this: 

lookupA,ValueToReplaceLookup
A,America
B,Beijing
C,Columbia

And then sometime later, I come along and I just want to add a few new rows to the csv e.g. 

lookupA,ValueToReplaceLookup
A,America
B,Beijing
C,Columbia
D,Denmark
E,Eygpt

What is the best way of doing this without breaking anything?
Do I just delete the existing csv and replace it with the new one, keeping the same name, and then I don't have to do step 2 & 3 above?
Or is there a better way of doing it?

Tags (3)
Reply

earriaga
Explorer
‎03-19-2020 09:22 AM

I know this conversation was a long time ago, but Did you find the answer? I have exactly the same question, but do not understand the answers posted here.
I just want to replace the file, I am surprise there is not an update option in the lookup.

0 Karma
Reply

earriaga
Explorer
‎03-19-2020 09:21 AM

Did you find the answer? I have exactly the same question, but do not understand the answers posted here.
I just want to replace the file, I am surprise there is not an update option in the lookup.

0 Karma
Reply

thambisetty_bal
Path Finder
‎07-14-2016 02:54 PM

Hi HattrickNZ,

Please find answer at below link and it gives you exactly what do you want.

http://hubpages.com/technology/Update-Splunk-file-based-lookup-from-search-results

0 Karma
Reply

felipecerda
Path Finder
‎01-05-2017 05:13 AM

Hi, the link is broken.

Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-18-2015 06:25 PM

If it's just a few values you want to add, give this app a shot. It allows you to edit the lookup from splunk web.

https://splunkbase.splunk.com/app/1724/

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

woodcock
Esteemed Legend
‎08-17-2015 11:28 PM

You are misunderstanding the 3 Knowledge Objects types for lookups. They stack together like this (depending on how you plan to use the CSV):

KO1. Lookup Table - a CSV file in a specific directory. This can be used with either a Lookup Definition or the inputlookup command.
KO2. Lookup Definitions - the glue that is required to use a lookup table file with the lookup command.
KO3. automatic lookups - causes a specific lookup command to be run automatically for a specific sourcetype.

So to modify it, just replace the file on your Search Head and it should take effect immediately.

Reply

HattrickNZ
Motivator
‎08-18-2015 12:03 PM

tks, my q was if 1 - i have uploaded the csv 2 - i have defined a lookup on the csv 3 - defined an auto lookup on 1 and 2. And then I decide I need to updatte the csv, in 1 above, then that is all i have to do by removing the old one and adding the new one, and I don't have to do any thing with 2 and 3 as they are now pointing at the newer csv?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-19-2015 06:46 AM

Correct, see my last line. You also need to refresh the KO out of your browser session cache.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-15-2016 04:04 PM

Pick an answer that is best and click Accept to close it.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-17-2015 05:45 PM

Use this:
|inputlookup my_file | append [ subsearch that gives you the remaining new rows ] | outputlookup my_file

Basically this loads the content of your file, appends the result rows from the subsearch (should have the same column names) and saves everything in your file. Note that I keeped the same file name in both inputlookup and outputlookup.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

HattrickNZ
Motivator
‎08-17-2015 06:37 PM

tks, but i was more interested in add the rows to the existing csv file and the nuploading it again. I presume you are assuming all the values I want are already in splunk, this would not be the case.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-17-2015 07:30 PM

Ok then just replace then csv or edit and save. You don't need to change de lookup definitions if you keep the same field names.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...