topic Re: Need help getting data from Splunk REST API in Splunk Search

How do I get data from Splunk REST API using python? Receiving error

ssharm223 — Mon, 16 May 2022 20:47:47 GMT

Hi, so my team is currently has some data on Splunk cloud. My task is to use your REST API to get this data using python.

On Splunk web I get this data by using the following query:

| from inputlookup:"cloud_accountList"

I have written a simple python script to get the data:

splunkTenant = 'avc3' splunkURL = { 'api': f"https://ab1.{splunkTenant}.splunkcloud.com:1234", } splunkCredentials = { 'user': 'test_user', 'password': 'SplunkIsGreat' } searchString = f"| from inputlookup:\"cloud_accountList\"" search = { 'search': searchString, 'output_mode': 'json' } splunkEndpoints = { 'returnedAppSearch': f"{splunkURL['api']}/servicesNS/{splunkCredentials['user'].upper()}", } cacertpath = '/Users/***/Downloads/cacert.pem' searchURL2 = f"{splunkEndpoints['returnedAppSearch']}/APP_NAME/search/jobs" splunk_response = requests.post( url=searchURL, auth=(str(splunkCredentials['user']), str(splunkCredentials['password'])), verify=cacertpath data=search)

When I run this script I get an error. Can someone please help me out?

Regards

Re: Need help getting data from Splunk REST API

ITWhisperer — Fri, 13 May 2022 07:50:55 GMT

What error do you get?

Re: Need help getting data from Splunk REST API

ssharm223 — Fri, 13 May 2022 14:21:42 GMT

'ERROR', 'text': "The lookup table 'cloud_accountList' requires a .csv or KV store lookup definition

This is the error I am getting

Re: Need help getting data from Splunk REST API

ITWhisperer — Fri, 13 May 2022 14:32:45 GMT

Looks like you need to set up a definition for the lookup

Re: Need help getting data from Splunk REST API

ssharm223 — Fri, 13 May 2022 14:49:32 GMT

Thanks ITWhisperer. Can you list the exact steps we have to follow? I am very new to this.

Re: Need help getting data from Splunk REST API

ITWhisperer — Fri, 13 May 2022 14:52:49 GMT

Define a CSV lookup in Splunk Web - Splunk Documentation

Re: Need help getting data from Splunk REST API

ssharm223 — Mon, 16 May 2022 20:41:50 GMT

Went over this with an admin. Looks like the lookup is already defined. Is there anything else I can try?

Re: How do I get data from Splunk REST API using python? Receiving error

AGLbwa — Tue, 29 Aug 2023 08:45:05 GMT

@ssharm223 did you ever get an answer to this? Guessing no? I'm having the same issue with accessing a csv lookup that I can access via the web UI, however attempting to access it via API gets me:

Non-result: ERROR The lookup table 'asset_lookup-by_str' requires a .csv or KV store lookup definition..

However changing the search to "|inputlookup asset_lookup-by_str.csv" still gets me:

Non-result: ERROR The lookup table 'asset_lookup-by_str.csv' requires a .csv or KV store lookup definition..

I suspect there is some combination of non-filesystem access and non-default csv locations that means we are SOL, but happy to be proven wrong by the brains trust!

Re: How do I get data from Splunk REST API using python? Receiving error

AGLbwa — Tue, 29 Aug 2023 08:51:34 GMT

@ssharm223 One thing that may be worth trying is adding the app to your connection parameters. I get a different error when I do this and it may simply be that my permissions aren't set up correctly.

Re: How do I get data from Splunk REST API using python? Receiving error

AGLbwa — Wed, 30 Aug 2023 00:12:18 GMT

This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!

Re: How do I get data from Splunk REST API using python? Receiving error

AGLbwa — Wed, 06 Sep 2023 04:26:52 GMT

Just as a follow up with csv I definitely get an error. I get the error:

Non-result: ERROR The lookup table 'not_really_my_lookup_name.csv' requires a .csv or KV store lookup definition..

Without .csv I get the same error but *also*:

Non-result: ERROR The lookup table 'not_really_my_lookup_name' is invalid..