https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700109#M237599 <P>Hi Splunk Experts,</P><P>I hope to get a quick hint on my issue. I have a Splunk Cloud setup with two search heads, one of which is dedicated to Enterprise Security. I have different lookups on this search head containing, e.g., all user attributes. I wanted to enhance a specific search using the <EM>lookup</EM> command as described in the documentation.</P><P>Additionally, I can access and view the lookup with the <EM>inputlookup</EM> command, confirming the file’s existence and proper permissions on the search head.</P><P>The search I have trouble with (simplified):</P><P>&nbsp;</P><LI-CODE lang="markup">index=main source_type=some_event_related_to_users | lookup ldap_users.csv identity as src_user</LI-CODE><P>&nbsp;</P><P><SPAN>However, this search instantaneously fails with:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">[idx-[...].splunkcloud.com,idx-[...].splunkcloud.com,idx-[...].splunkcloud.com] The lookup table 'ldap_users.csv' does not exist or is not available.</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I must confess I am rather new to Splunk and even newer to running a Splunk cluster. So I do not really understand why my indexers are looking for the file in the first place. I assumed that the search head would handle the lookup. In addition, as I am a Splunk Cloud customer, I don’t have access to the indexers anyway.</P><P>Can someone give me a pointer on how to achieve such a query in a Splunk Cloud Environment?</P> Wed, 25 Sep 2024 15:38:54 GMT Gravoc 2024-09-25T15:38:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700109#M237599 <P>Hi Splunk Experts,</P><P>I hope to get a quick hint on my issue. I have a Splunk Cloud setup with two search heads, one of which is dedicated to Enterprise Security. I have different lookups on this search head containing, e.g., all user attributes. I wanted to enhance a specific search using the <EM>lookup</EM> command as described in the documentation.</P><P>Additionally, I can access and view the lookup with the <EM>inputlookup</EM> command, confirming the file’s existence and proper permissions on the search head.</P><P>The search I have trouble with (simplified):</P><P>&nbsp;</P><LI-CODE lang="markup">index=main source_type=some_event_related_to_users | lookup ldap_users.csv identity as src_user</LI-CODE><P>&nbsp;</P><P><SPAN>However, this search instantaneously fails with:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">[idx-[...].splunkcloud.com,idx-[...].splunkcloud.com,idx-[...].splunkcloud.com] The lookup table 'ldap_users.csv' does not exist or is not available.</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I must confess I am rather new to Splunk and even newer to running a Splunk cluster. So I do not really understand why my indexers are looking for the file in the first place. I assumed that the search head would handle the lookup. In addition, as I am a Splunk Cloud customer, I don’t have access to the indexers anyway.</P><P>Can someone give me a pointer on how to achieve such a query in a Splunk Cloud Environment?</P> Wed, 25 Sep 2024 15:38:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700109#M237599 Gravoc 2024-09-25T15:38:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700112#M237601 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272546">@Gravoc</a>&nbsp;,</P><P>at first check if the lookup name is correct (it's case sensitive).</P><P>Then check if you see the lookup using the Splunk Lookup Editor App.</P><P>Then check if you have created also the Lookup definition for this lookup.</P><P>At least check the grants on lookup and lookup definition.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Sep 2024 15:48:41 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700112#M237601 gcusello 2024-09-25T15:48:41Z https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700168#M237630 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,</P><P>thanks for giving this quick reply.</P><P>&nbsp;</P><P>I checked the filename either manually and second time by using the following command:</P><LI-CODE lang="markup">| inputlookup ldap_users.csv</LI-CODE><P>&nbsp;</P><P>This returns the lookup as expected.</P><P>I can see and edit my lookup with the lookup editor app.</P><P>I also created an Lookup definition and set the permissions on both the lookup and the lookup definition to global read. I also use the lookup in my Enterprise Security Asset Management - and there it works flawlessly.</P><P>&nbsp;</P><P>However, I managed to just utilize the merged identity lookup that Enterprise Security creates. It is not the solution to the original problem - but solves my usecase.</P><P>&nbsp;</P><P>So for me the solution is to just utlitze another lookup:</P><LI-CODE lang="markup">index=main source_type=some_event_related_to_users | lookup identity_lookup_expanded identity as src_user</LI-CODE><P>&nbsp;</P> Thu, 26 Sep 2024 07:28:44 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700168#M237630 Gravoc 2024-09-26T07:28:44Z https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700210#M237638 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272546">@Gravoc</a>&nbsp;,<BR />maybe you created the lookup in a different app and didn't add the Global sharing level to the lookup and to the definition.</P><P>Instead the ES lookups are shared at Global level, probably for this reason it runs.</P><P>Try to share as Global lookup and dedinition.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 26 Sep 2024 12:43:15 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Cloud-Lookups/m-p/700210#M237638 gcusello 2024-09-26T12:43:15Z