Upload a CSV file to the Splunk Data Stream Processor to enrich data with a lookup (2024)

On April 3, 2023, Splunk Data Stream Processor reached its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.

All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.

CSV lookups are file-based lookups that match field values from your events to field values in the static table represented by a CSV file. They output corresponding field values from the table to your data. They are also referred to as static lookups. Use lookups to enrich fields to your streaming data by adding fields from CSV files.

CSV lookups are best for small sets of data. The general workflow for creating a CSV lookup in the is to upload a file in the Lookups tab and then invoke the CSV file using the lookup function.

Lookup table files

Lookup table files are files that contain a lookup table. A standard lookup pulls fields out of this table and adds them to your records when corresponding fields in the table are matched in your records.

A single lookup table file can be used by multiple pipelines.

Upload the lookup table file

To use a CSV lookup, you must first upload a lookup table file to the .

Prerequisites

  • An available .csv file. The maximum file size is 50MiB.

Steps

  1. In the Splunk Data Stream Processor, select Lookups
  2. On the Lookups page, click Add lookup.
  3. Enter a name for your lookup.
  4. Upload the CSV file.
  5. Check whether your file has a header in the first row. If your file doesn't have a header, enter the header fields separated by commas.
  6. Click Save.

You can now use the lookup file in your pipelines using the lookup function.

Update a CSV lookup

Follow these steps to upload a new version of a lookup table file. By default, the automatically detects when you upload a new version of a CSV lookup file and active pipelines will automatically switch to using the latest version of the CSV file.

Update a CSV lookup using the UI

  1. In the Splunk Data Stream Processor, select Lookups and find the lookup that you'd like to update.
  2. Click on the name of the lookup, and then click the Edit lookup button.
  3. Upload the new CSV file.
  4. Check whether your file has a header in the first row. If your file doesn't have a header, enter the header fields separated by commas.
  5. Click Save.

You now have an updated lookup file that can be used in your pipelines with the lookup function.

Update a CSV lookup using the Streams API

  1. Log in to the Splunk Cloud Services CLI. Copy and save the bearer token returned to a preferred location.
    ./scloud login --verbose
  2. Upload the new CSV file that you want to use. Copy and save the returned id value to a preferred location.
    curl -k --location --request POST 'https://<DSP_HOST>/default/streams/v3beta1/lookups/files' \ --header 'Authorization: Bearer <my-bearer-token>' --form 'file=@/path/to/my/csv_file.csv'

    This CSV file must contain the same schema, or headers, as the previous CSV file. If you want to use a CSV file containing a different schema, then you must create a new lookup connection.

  3. Now that you've uploaded the new CSV file that you want to use, retrieve the id corresponding to the connection to the CSV file. Copy and save the returned id value to a preferred location.
    curl -k --location --request GET 'https://<DSP_HOST>/default/streams/v3beta1/connections' \--header 'Authorization: Bearer <my-bearer-token>' 
  4. Modify the existing lookup connection to use the updated CSV file. Replace connection_id with the id from step 3 and file_id with the id from step 2.
    curl -k -X PATCH "https://<DSP_HOST>/default/streams/v3beta1/connections/<connection_id>" \ -H "Authorization: Bearer <my-bearer-token>" \ -H "Content-Type: application/json" \ -d '{"data": {"file_id": "<file_id>"}}'

    The following table lists the full range of options available when you update the lookup connection.

    JSON ParameterFormatDescription
    check_for_new_connection_secsintegerOptional. The checks every minute to see if there have been updates to CSV lookup files. If there was an update, any active pipelines using the CSV file automatically switch to using the latest version of the file. This option enables or disables automatic updates and allows you to select how frequently you want to check for updates to the CSV file. Set this to 0 to disable automatic updates. This value must be 30 seconds or greater. Set this to a higher value, such as 300 seconds (5 minutes) to decrease network traffic. Defaults to 60 seconds.

    If this setting is enabled and your pipeline fails shortly after updating an in-use CSV lookup file, check to see if you have violated the total allowed cache quota for your pipeline. The cumulative size of all CSV lookups in a single pipeline cannot exceed 50MiB. For example, in a single pipeline, you can use one 50MiB CSV lookup file or five 10MiB files. If you update your CSV file and exceed this quota, then your pipeline will fail. To prevent this, make sure that the cumulative size of all CSV lookups in a single pipeline do not exceed 50MiB.

    trim_edge_whitespacebooleanOptional. Set to false if you do not want to trim leading and trailing whitespaces from your file headers or data rows. Defaults to true.

You now have an updated lookup file that can be used in your pipelines with the lookup function.

Enable or disable automatic updates using the DSP CLI tool

By default, the checks every minute to see if there have been any updates to your CSV lookup files. If an update is detected, then any active pipelines using the CSV file automatically switch to using the latest version of the file.

As an alternative to configuring this automatic update behavior using the check_for_new_connection_secs JSON parameter described in the previous section, you can also enable or disable automatic updates using the DSP CLI tool.

  1. Navigate to the working directory of a DSP controller node.
  2. Run one of the following commands to enable or disable automatic updates for CSV lookup files:
    • To enable automatic updates, run the following command:
      dsp admin connection update-lookup --enable-update-checks
    • To disable automatic updates, run the following command:
      dsp admin connection update-lookup --disable-update-checks

Deleting unused lookup files

After 24 hours, the automatically deletes any unused lookup files. This means that any files that are not associated with an existing lookup connection and any old versions of a lookup file are automatically deleted from the system.

If you want to modify how frequently unused lookup files are deleted, perform the following steps.

  1. From the working directory of a DSP controller node, run the following command to configure how frequently you want to delete unused lookup files. Set to 0 to disable automatic cleanup of lookup files.
    dsp config set streams pipelines_data_file_cleanup_frequency_in_hrs=<value>
  2. Deploy your changes.
    dsp deploy streams
Upload a CSV file to the Splunk Data Stream Processor to enrich data with a lookup (2024)

FAQs

Upload a CSV file to the Splunk Data Stream Processor to enrich data with a lookup? ›

You can create either a CSV lookup or a KV store lookup.

How do I add a lookup file in Splunk? ›

Add a lookup to Splunk Enterprise Security
  1. Select Configure > Content > Content Management.
  2. Click Create New Content > Managed Lookup.
  3. Click Create New.
  4. Select a lookup file to upload.
  5. (Optional) Change the default App for the file.
  6. (Optional) Modify the file name.
  7. (Optional) Modify the definition name.
Aug 11, 2023

How to get data from CSV in Splunk? ›

To upload a file, do the following:
  1. Open the Lookup Editor.
  2. Click "New"
  3. Click the file selector at the top right of the screen near where it says "Import from CSV file"; once your file it uploaded it will appear in the interface.
  4. Set a name for the lookup and press save.

Which file types can be uploaded to create a lookup in Splunk? ›

You can create either a CSV lookup or a KV store lookup.

How to create a CSV file in Splunk? ›

The general workflow for creating a CSV lookup in Splunk Web is to upload a file, share the lookup table file, and then create the lookup definition from the lookup table file. CSV inline lookup table files, and inline lookup definitions that use CSV files, are both dataset types. See Dataset types and usage.

How do I upload a CSV file to Splunk lookup? ›

In the Splunk Data Stream Processor, select Lookups and find the lookup that you'd like to update. Click on the name of the lookup, and then click the Edit lookup button. Upload the new CSV file. Check whether your file has a header in the first row.

What is the lookup command in Splunk? ›

Lookups enrich your event data by adding field-value combinations from lookup tables. Splunk software uses lookups to match field-value combinations in your event data with field-value combinations in external lookup tables.

How do I add files to Splunk? ›

Upload data
  1. Select Add Data, which is found in either the Settings dropdown or the Splunk Enterprise homepage.
  2. Select Upload, and then select your data file.
May 25, 2023

Which file types can be uploaded to create a lookup? ›

Final answer: The files that can be uploaded to create a lookup are typically XLS, XML, and CSV.

What are the two forms of lookup? ›

There are two ways to use LOOKUP: Vector form and Array form
  • Vector form: Use this form of LOOKUP to search one row or one column for a value. ...
  • Array form: We strongly recommend using VLOOKUP or HLOOKUP instead of the array form.

How to edit a CSV file in Splunk? ›

Edit a lookup file in the Splunk App for Lookup File Editing
  1. On the Lookups page, locate the file you want to edit from the list of imported CSV file and KV store lookups. ...
  2. Select the name of the lookup file you want to edit. ...
  3. Select any cell in the table to see the editing options.
  4. Make your changes to the file.

How do I download a CSV file from Splunk? ›

Export data using Splunk Web
  1. After you run a search, report, or pivot, click the Export button. The Export button is one of the Search action buttons. ...
  2. Click Format and select the format that you want the search results to be exported in. ...
  3. Optional. ...
  4. Optional. ...
  5. Click Export to save the job events in the export file.

How do you generate a CSV file with data? ›

Using a spreadsheet application like Excel, Google Sheets, or OpenOffice Calc is the easiest way to make CSV files. If you can't use any of those programs, you can use a text editor like Notepad or TextEdit. In a spreadsheet program, go to File > Save As > File Type > CSV.

How do I use a lookup file? ›

Using Lookup File Set
  1. Specify details about the data source (for example, if using a File Set stage, give the name of the file set).
  2. Ensure required column meta data has been specified.
  3. Fulfil any "must do's" for that particular stage editor.

How do you insert a lookup field? ›

Create a lookup field in Design View

Click in the Data Type column for that row, click the arrow and then, in the drop-down list, select Lookup Wizard. Note The Lookup Wizard creates three types of lists depending on the choices you make in the wizard: a lookup field, a values list field, and a multivalued field.

How do you add a lookup field to a report? ›

To add fields related via lookup:
  1. Edit the custom report type.
  2. In the Fields Available for Reports section, click "Add fields related via lookup."
  3. Select the lookup field and the related object.
  4. Choose the fields from the related object to include in the report type.
  5. Save your changes.
Jun 23, 2024

Top Articles
Who is Imane Khelif? Algerian boxer facing gender outcry had modest success before Olympics
2024 Paris Olympics: U.S. wins first gold on Day 1 of the Summer Games in swimming relay
Trivago Manhattan
Att Login Prepaid
Hoy Kilnoski Obituaries
What Is Carrier Default App? Everything You Need To Know - Mobile Soon
83600 Block Of 11Th Street East Palmdale Ca
Hydro Quebec Power Outage Map
Wat is 7x7? De gouden regel voor uw PowerPoint-presentatie
Smart fan mode msi, what's it for and does it need to be activated?
Cherry Spa Madison
Wow Patchu Pet Battle
Zitobox Tips And Tricks
Jennifer Lenzini Leaving Ktiv
Cuộc thi “Chung tay vì an toàn giao thông” năm 2024
Caribbean Mix Lake Ozark
Summoner Weapons Terraria
Dupage County Fcrc
Point Click Care Cna Lo
Devotion Showtimes Near Amc Classic Shiloh 14
American Eagle Store Locator
Rubmaps Springfield
Midsommar 123 Movies
Solid Red Light Litter Robot 4
Daves Supermarket Weekly Ad
Craiglist Galveston
Contoured Fowl Feather Wow
Community Q&A with Red Flight and the Combat Box server
Freeway Insurance Actress
Northern Va Bodyrubs
18443168434
Tulare Lake’s ghostly rebirth brings wonder — and hardship. Inside a community's resilience
Adriana Zambrano | Goosehead Insurance Agent in Metairie, Louisiana
Best Boxing Gyms Near Me
Texas State Final Grades
City Md Flatbush Junction
Agility Armour Conan Exiles
Shs Games 1V1 Lol
Sirius Satellite Radio Sports Schedule
Carabao Cup Wiki
Skip Da Games.com
Doomz.io Unblocked Games 76
Sxs Korde
Jane Powell, Spirited Star of Movie Musicals ‘Royal Wedding,’ ‘Seven Brides,’ Dies at 92
Netdania.com Gold
Tia V15.1 Update
Intoxalock Calibration Locations Near Me
Doctor Strange in the Multiverse of Madness - Wikiquote
Gary Zerola Net Worth
Rs3 Spectral Spirit Shield
Departments - Harris Teeter LLC
The Emperor's New Groove | Rotten Tomatoes
Latest Posts
Article information

Author: Nathanial Hackett

Last Updated:

Views: 5514

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.