topic Re: difficulty in updating a lookup file via rest in Splunk Search

difficulty in updating a lookup file via rest

dominiquevocat — Fri, 02 Feb 2018 16:38:15 GMT

i have a script that generates a csv under /var/run/splunk

I would like to update my lookup file

I read the docs and it says to post a request like this:

response = requests.post('https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv', data=payload, verify=False, headers=headers)

where headers are like this:

headers={'Authorization': 'Splunk xXxXxXXXxXXXy','Content-Type': 'application/json'}

and the data is like this:

{'eai:data': '/opt/splunk/var/run/splunk/cve.csv'}

i can read that endpoint like (excerpt):

  <entry>
    <title>cve.csv</title>
    <id>https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv</id>
    <updated>2018-02-02T15:57:56+01:00</updated>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="list"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="edit"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="remove"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/move" rel="move"/>

and it looks ok but post failes with

>>> print response
<Response [500]>
>>> print response.text
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">
 In handler 'lookup-table-files': Data could not be written: /nobody/SA-cve/lookups/cve.csv: /opt/splunk/var/run/splunk/cve.cvs</msg>
  </messages>
</response>

Re: difficulty in updating a lookup file via rest

micahkemp — Sun, 04 Feb 2018 01:56:54 GMT

The response you included in your question shows cve.cvs for the filename, but your eai:data snippet suggests you mean cve.csv. Is there any chance you have a typo in your script somewhere?

Re: difficulty in updating a lookup file via rest

dominiquevocat — Mon, 05 Feb 2018 17:16:39 GMT

hi, must be a typo when doing the ticket

I just tried again just in case 🙂 hope springs eternal but it was a typo

The lookup file is shared globaly
/opt/splunk/etc/apps/SA-cve/lookups/cve.csv | No owner | SA-cve | Global

Re: difficulty in updating a lookup file via rest

micahkemp — Mon, 05 Feb 2018 21:49:01 GMT

If you're creating a new lookup file, you need to POST to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files and include name in your data. You POST to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/<name>; if you're replacing an existing lookup file.

Try POSTing to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files and see if that helps.