This guide walks you through transferring lookup files from a Splunkbase download to your active Splunk installation on a Linux system.
- Go to Splunkbase.
- Find and download the desired app or add-on.
- This typically gives you a
.splor.tgzarchive.
In your terminal, navigate to the folder with the downloaded file:
cd ~/DownloadsExtract the file (replace your_app.spl with your filename):
tar -xvf your_app.splThis reveals the app's folder structure. Look for the lookups directory inside.
First, find where Splunk is installed:
sudo find / -type d -name splunkTypical paths include:
/opt/splunk/usr/local/splunk/etc/splunk
Once youβve located the path, navigate to your appβs folder within the Splunk install:
cd /opt/splunk/etc/apps/<your_installed_app>/lookupsIf the folder doesnβt exist, create it:
sudo mkdir -p /opt/splunk/etc/apps/<your_installed_app>/lookupsNow, copy the lookup files from your downloaded app to the installed one:
sudo cp ~/Downloads/<your_app>/lookups/* /opt/splunk/etc/apps/<your_installed_app>/lookups/Ensure the permissions are correct:
sudo chown splunk:splunk /opt/splunk/etc/apps/<your_installed_app>/lookups/*
sudo chmod 644 /opt/splunk/etc/apps/<your_installed_app>/lookups/*Restart Splunk to apply the changes:
sudo /opt/splunk/bin/splunk restartLog into Splunkβs web interface and check that the lookup is available:
- Go to Settings > Lookups > Lookup table files.
- Ensure your file is listed and accessible.
Alternatively, run this search to confirm:
| inputlookup <your_lookup_file.csv>
β¨ All done! Your lookup files should now be successfully transferred and working in your installed Splunk environment.
Want me to extend this guide to handle error cases or automate the transfer with a bash script? π