https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/698210#M115767 <P>You can use '<SPAN><STRONG>| append [ | noop ]</STRONG></SPAN>' as a workaround:<BR /><BR /></P> <LI-CODE lang="markup">| from federated &lt;&gt; | append [ | noop ] | outputlookup &lt;&gt;.csv</LI-CODE> <P><SPAN>&nbsp;</SPAN></P> Wed, 04 Sep 2024 17:01:07 GMT _joe 2024-09-04T17:01:07Z https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/589401#M103364 <P>We are working with several remote datasets that are combined to give our end user a specific result.&nbsp;</P> <P>Federated Search gives us an LDAP dn, which we are trying to use to pull enhancing information from another remote source via a REST API.&nbsp; The following search works:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=federated:remote_dataset userid="cn=" | \ eval dn=lower(userid) | \ dedup dn | \ table dn</LI-CODE> <P>&nbsp;</P> <P>The idea is to use a scheduled search to populate a csv with a list of DNs at the top of every hour, then use a cron job to spawn a python script which generates a new CSV that contains the DN and the enhancing data from the REST API source. Our python script is working, however when we add "|outputlookup dn.csv append=true" to the otherwise functional SPL, we get nothing.</P> <P>This fails:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=federated:remote_dataset userid="cn=" | \ eval dn=lower(userid) | \ dedup dn | \ table dn | \ outputlookup dn.csv append=true</LI-CODE> <P>&nbsp;</P> <P>Is this a limitation of Federated Search?</P> <P>Thank you</P> Wed, 16 Mar 2022 20:25:07 GMT https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/589401#M103364 discenzadoe 2022-03-16T20:25:07Z https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/589532#M103375 <P>Do you see any error when running the search? (in Job dropdown you should see some message).</P> Thu, 17 Mar 2022 14:29:38 GMT https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/589532#M103375 somesoni2 2022-03-17T14:29:38Z https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/698192#M115765 <P>Similar issue. There are no error logs per say.&nbsp; The search log shows the the output appears to be happening on the remote SH.&nbsp;<BR /><BR /><SPAN><SPAN class="">Results written to file '/opt/splunk/etc/apps/search/lookups/mylookup.csv' on serverName=',&lt;&lt;remoteServerName&gt;&gt;</SPAN></SPAN></P> <P>In other words, if I login to my local search head and run this and get an output of 100 entries:</P> <LI-CODE lang="markup">| federated from:my report | outputlookup mylookup.csv</LI-CODE> <P>Then I run this (Again on the local search head), it will be empty:</P> <LI-CODE lang="markup">| inputlookup mylookup.csv</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Sep 2024 14:05:24 GMT https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/698192#M115765 _joe 2024-09-04T14:05:24Z https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/698210#M115767 <P>You can use '<SPAN><STRONG>| append [ | noop ]</STRONG></SPAN>' as a workaround:<BR /><BR /></P> <LI-CODE lang="markup">| from federated &lt;&gt; | append [ | noop ] | outputlookup &lt;&gt;.csv</LI-CODE> <P><SPAN>&nbsp;</SPAN></P> Wed, 04 Sep 2024 17:01:07 GMT https://community.splunk.com/t5/Getting-Data-In/Federated-Search-How-do-I-create-lookup-file-with-results/m-p/698210#M115767 _joe 2024-09-04T17:01:07Z