AgentSkillsCN

Splunk Lookup

Splunk 查找表

SKILL.md

splunk-lookup

CSV and lookup file management for Splunk.

Purpose

Upload, download, and manage CSV lookup files and lookup definitions.

Risk Levels

OperationRiskNotes
List lookups-Read-only
Get lookup info-Read-only
Download lookup-Read-only
Upload lookup⚠️Creates new or overwrites
Delete lookup⚠️⚠️May be recoverable from backup

Triggers

  • "lookup", "CSV", "upload"
  • "lookup table", "enrichment"

CLI Commands

CommandDescription
lookup listList lookup files
lookup getGet contents of a lookup file
lookup uploadUpload CSV lookup file
lookup downloadDownload lookup file
lookup deleteRemove lookup file
lookup transformsList lookup transforms/definitions

Options

OptionCommandsDescription
-a, --appallApp context (defaults to "search" for most commands)
-o, --outputlist, get, transformsOutput format (text, json; get also supports csv)
-c, --countgetMaximum rows to show
-n, --nameuploadLookup name (defaults to filename)
-f, --forcedeleteSkip confirmation
--output-filedownloadOutput file path

App Context

The -a/--app option specifies the Splunk app context:

  • Optional for listing: Filter results to a specific app
  • Required for upload: Specifies where to store the lookup
  • Recommended for get/download/delete: Ensures you target the correct lookup file

Default behavior varies by command. When multiple apps have lookups with the same name, always specify --app.

Examples

bash
# List lookups (with output format)
splunk-as lookup list -a search
splunk-as lookup list -a search -o json

# Get lookup contents (with count limit)
splunk-as lookup get users.csv -a search
splunk-as lookup get users.csv -a search -c 100 -o csv

# Upload lookup (with custom name)
splunk-as lookup upload users.csv -a search
splunk-as lookup upload /path/to/data.csv -a search -n custom_lookup

# Download lookup
splunk-as lookup download users.csv --output-file ./users.csv

# Delete lookup (with force flag)
splunk-as lookup delete old_users.csv -a search
splunk-as lookup delete old_users.csv -a search -f

# List lookup transforms/definitions
splunk-as lookup transforms -a search
splunk-as lookup transforms -a search -o json

API Endpoints

  • POST /services/data/lookup-table-files - Upload
  • GET /services/data/lookup-table-files - List
  • GET/DELETE /services/data/lookup-table-files/{name} - Get/Delete