topic Re: AppInspect check_all_lookups_are_used too restrictive? in Splunk Search

AppInspect check_all_lookups_are_used too restrictive?

Graham_Hanningt — Wed, 30 Sep 2020 04:27:42 GMT

Except from an AppInspect report:

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_all_lookups_are_used
Lookup file my_trans.csv is not referenced in transforms.conf. File: default/transforms.conf

The report is correct: my_trans.csv (not its real name) is not referenced in transforms.conf.

However, my_trans.csv is referenced by a macro in the app. From the app's macros.conf:

[myapp_exclude_my_trans]
definition = NOT [|inputlookup my_trans.csv]

From the description of this check in the AppInspect docs:

Check that all files in the /lookups directory are referenced in transforms.conf.

Why must files in the /lookups directory be referenced in transforms.conf?

Do I really need to add:

[mylookuptable]
filename = my_trans.csv

just to satisfy AppInspect?

Re: AppInspect check_all_lookups_are_used too restrictive?

kamlesh_vaghela — Wed, 30 Sep 2020 04:29:07 GMT

@Graham_Hannington

I think Yes, you should use lookup name instead of a file name in macros.conf.

transforms.conf

[mylookuptable]
filename = my_trans.csv

macros.conf

[myapp_exclude_my_trans]
definition = NOT [|inputlookup mylookuptable ]

Can you please try it?

Re: AppInspect check_all_lookups_are_used too restrictive?

nickhills — Wed, 04 Mar 2020 11:41:11 GMT

building on @kamlesh_vaghela's answer. Best practice is not to use lookup csv files directly.
The reason for this is that you can not define some of the lookup options such as match results or wildcard matching etc without using a definition.
It also allows for future expansion to move to KV store without having to reconstruct your knowledge objects.
This is why the process encourages you to use a lookup definition, and use that definition name in your searches and macros in place of the csv filename.

Re: AppInspect check_all_lookups_are_used too restrictive?

Graham_Hanningt — Wed, 04 Mar 2020 13:35:54 GMT

@kamlesh_vaghela ,

Thank you! Yes, I've tried it, and it works.

I had completely overlooked what you describe: that the inputlookup command can refer to a transforms.conf stanza name instead of the .csv file name. That explains a lot! In particular, as @nickhillscpl points out (thank you, too!) why AppInspect checks this. I "get it" now.

Thanks again to both of you for your advice, much appreciated. I'm now one step closer to that AppInspect badge.

Re: AppInspect check_all_lookups_are_used too restrictive?

Graham_Hanningt — Wed, 04 Mar 2020 13:37:48 GMT

@kamlesh_vaghela ,

If you feel like converting your comment into an answer, I'll accept it.

Re: AppInspect check_all_lookups_are_used too restrictive?

nickhills — Wed, 04 Mar 2020 13:38:22 GMT

Great news!, I have added @kamlesh_vaghela's comment as an answer. Please accept it and upvote any posts that helped!

Re: AppInspect check_all_lookups_are_used too restrictive?

bowesmana — Tue, 28 Nov 2023 07:38:36 GMT

@nickhills Just came across your comment, which made me chuckle, that the appinspect process encourages us to use definitions - while I agree with the principle of using definitions, I would say that a hard failure is not exactly an encouragement - it's a pointblank computer say NO 😏