topic Re: Using inputlookup with external_cmd in Splunk Dev

Using inputlookup with external_cmd

cygnetix — Tue, 07 Mar 2017 23:45:45 GMT

Hi all,

Is it possible to use inputlookup to pull a list of information from a scripted lookup?

The documentation for inputlookup seems to suggest this is possible:

The lookup table can be configured for any lookup type (CSV, external, or KV store)._

But the documentation for transforms.conf where the scripted input is defined states

Your external lookup script must take in a partially empty CSV file and output a filled-in CSV file

Which implies that it can't be used with a generating command like inputlookup.

I'm trying to pull in a CSV from a threat intel feed but in a way that would allow me to do so using a scheduled search rather than a scripted input or modular input. Any thoughts on how best to do this if using a scripted input with inputlook isn't possible?

Re: Using inputlookup with external_cmd

cygnetix — Wed, 08 Mar 2017 00:26:24 GMT

Search logs show:

03-08-2017 10:20:03.398 WARN SearchOperator:inputcsv - sid:1488932400.14 The lookup table 'testlookup' is invalid.

So it looks like, possibly, it's trying to load my scripted lookup using inputcsv?

Re: Using inputlookup with external_cmd

starcher — Wed, 08 Mar 2017 00:53:57 GMT

If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

Re: Using inputlookup with external_cmd

cygnetix — Wed, 08 Mar 2017 01:05:38 GMT

I converted my script to work as a search command not long after posting the question. I agree that it looks like a search command or modular input are the way to go, but I believe that Splunk should update their documentation for inputlookup if it's not possible to use scripted lookups with this command (as the documentation currently states).

Re: Using inputlookup with external_cmd

cygnetix — Wed, 08 Mar 2017 02:13:48 GMT

I've send a comment on the documentation page for inputlookup to query whether the statement that inputlookup will work with scripted lookups is correct or not. I suspect it is incorrect.

Re: Using inputlookup with external_cmd

starcher — Wed, 08 Mar 2017 13:25:52 GMT

Yup the docs feedback is the best way to get Splunk to update the docs. The docs team watches it carefully.

Re: Using inputlookup with external_cmd

spunk_enthusias — Fri, 27 Oct 2023 14:13:57 GMT

When running

| inputlookup testlookup

(which is an external lookup) I get the error message:

The lookup table 'testlookup' requires a .csv or KV store lookup definition

... so I assume this isn't an intended use case.

Quite a bummer because (as per some of my earlier posts) custom search commands kind of suck.