![]() ![]() If you wanted to do something in another Splunk instance to play around with this data, you have a couple of options.Ī) Make a copy of those lookups into a lookup folder in an app on the new instance and use | inputlookup filename.csv on them, just like the MLTK does. There essentially is no "log" except those lookups.īUT now that I think I know what you are trying to do. ![]() The MLTK "logs" aren't usually logs, if I recall correctly the ML app usually uses | inputlookup filename.csv to get its data, so the "log" is. I mean, every log is, by definition in a different place. But even in that case, Settings, Lookups, Lookup table files will still tell you where it is, though you may have to change a few options at the top to see it. Probably the biggest non-obvious thing to note is that if you have a lookup with that same filename in another app already, and it's shared globally, then when you outputlookup to that filename it will instead overwrite that other file that lives in another location with your data. Now that I've written it with outputlookup, if I go to Settings, Lookups, then Lookup table files, I can find where that CSV ended up. In the case I did above, the beginning of my url was you really should be - it's very important! But the shortcut at this time is to look at your url. If I'm in an app called "mud_slinger", then it'll end up in /opt/splunk/etc/apps/mud_slinger/lookups/file.csv. opt/splunk/etc/apps/search/lookups/file.csv The location of the file you write with | outputlookup file.csv is probably going to be the local app's lookup folder.įor instance, if I'm in the search and reporting app, then that process above would end up with a file in So you | outputlookup file.csv from your production server, and you want to copy this to a VM - which I assume is a test or development server? (Doesn't actually matter for this purpose, I just think that's a common scenario so I'm adding it to the answer). I think that makes it a bit more clear in many ways. well in that case it's possible it may not be terrible to write the SFTPed file to somewhere like /opt/splunk/etc/apps/Splunk_ML_Toolkit/lookups/ (You wouldn't probably want to only write it to your own user folder version, indeed I'm not sure that would even work). In that case I guess reply back with what it is you are trying to do and maybe we can be more specific about what to do with it, but. If you were creating a lookup, but NOT that particular lookup, well. Set your SFTP location to somewhere sane like /opt/data/some_subfolder or something (you'll have to make that directory structure), then have the input you build in the UI (or via conf files or whatever) point to that folder. If on the other hand it was just some random "I found this example somewhere" type thing, then no worries. well, OK, but I just wanted to ask to make sure that's actually what you want to do. ![]() Why are you trying to SFTP logs to that path and file, or was it just an example? If you are trying to replace that file with something you are dropping onto the server with SFTP. That file path is a lookup for the Splunk_ML_Toolkit. Both path-wise and permissions-wise.īUT there's some complexity that is purely because of the example you gave.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |