utwritelookup a Splunk user is able to write the results of a Splunk search to a lookup in Cribl Stream. Both
.gz lookups are supported. Please note that the command takes all fields given in the results sent to the command and does not provide any multivalue handling. As the command has to run on the search head with the full resultset, the command is of type
Eventing. As Cribl Stream does not provide any functionality to edit a lookup, the whole file is sent to Cribl Stream even if only a single value changes. If the lookup already exists in Cribl Stream the file is overwritten.
utwritelookup to push an updated lookup to the worker nodes following conditions have to be met:
- There was already a configuration deployed to the worker group
- There are no committed but not deployed changes
If there are commited but not yet deployed changes,
utwritelookup creates a n ew commit. If there are files edited but not committed,
utwritelookup only commits the changes done by itself.
|instance||Instance into which the created lookup should be written||dev||-|
|lookup_name||Name of the lookup that should be created or updated in Cribl Stream. The lookup name has to end in ||ip_ranges.csv||-|
|append||If the events piped into ||-||False|
Creating a lookup based on search results
To create a lookup containing all hosts sending data to Splunk and the earliest and latest event, run the search as visible below:
Copying a lookup in Splunk to Cribl Stream
To copy a lookup from Splunk to Cribl Stream run a search similar to the one visible in the screenshot below: