![]() ![]() Using the following search, I could retrieve the contents of the lookup file named “demo_assets.csv” from sh1: I then added SH1 as a search peer to SH2. I setup two search heads in my lab environment, sh1 with a “demo_assets.csv” lookup and sh2 without the lookup. I then realized I could do the same thing using rest command on a search head. I knew I could run a curl command from the operating system, execute any search, and retrieve the contents of a lookup using Splunk’s robust REST API. I then knew the solution, I needed to figure out a way to run the inputlookup command remotely. I began looking at existing REST endpoints and realized there was not one that would retrieve the contents of a lookup file. I was hoping the inputlookup command allowed for the use of splunk_server, but it didn’t. Knowing that Splunk can search a specific search peer using the splunk_server parameter, I added the source search head to the destination search head. However, I wanted to use pure SPL so this solution could be completely portable, and usable without installing additional apps. Since Splunk is a very open platform, I knew this could be accomplished using a custom REST endpoint. I was working with a customer a couple weeks ago who has several search heads and wanted a way to sync lookup files without relying on third party tools such as rsync. ![]() If you have seen my previous post “ Upgrading Linux Forwarders Using the Deployment Server”, you can see that I love figuring out how to do unconventional tasks using Splunk. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |