All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk external lookup script within app not running

ShawnClark
Explorer
‎09-24-2015 10:38 AM

Based on the documentation:

The script must be located in one of two places:
$SPLUNK_HOME/etc/searchscripts
$SPLUNK_HOME/etc/apps/<app_name>/bin
See "More about the external lookup script" for more information about how such scripts work.

When I have the script within the apps/<app_name>/bin directory it is never picked up. When I move it to the searchscripts directory it runs just fine. Is the ability to have external lookup scripts within an app not possible? (Splunk 6.3)

Here is my transforms.conf:

[testLookup]
external_cmd=test_lookup.py testField1 testField2
external_type=python
fields_list=testField1, testField2
Reply

goelli
Communicator
‎01-06-2017 03:24 PM

I had the same issue on Splunk 6.4.4 and had to make sure, that the metadata/default.meta included not only the permission for the lookup. I simply added:

[]
access = read : [ * ], write : [ * ]
export = system
Reply

supersleepwalke
Communicator
‎07-15-2016 10:07 AM

I have the same problem.

Here's the very basic lookup script I've created (external_lookup.py)

import logging

logging.basicConfig(filename='/tmp/splunk-external_lookup-hello.log',level=logging.DEBUG)
logging.debug("foo")

If I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin, I get the error

Could not find 'external_lookup.py'. It is required for lookup 'external_lookup'.

But if I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin it works fine.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎09-28-2015 05:41 AM

I don't know for sure if this matters, but is your transforms in the same app you are putting the script in?

0 Karma
Reply

ShawnClark
Explorer
‎09-28-2015 10:33 AM

Yes my transforms.conf is in the app.

0 Karma
Reply

scruse
Path Finder
‎09-25-2015 04:17 PM

are you on NT or *nix, and what are the permissions on the script?

0 Karma
Reply

ShawnClark
Explorer
‎09-28-2015 10:33 AM

*nix and I have given execute permissions to the user (splunk) and all just to make sure it can get access to it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...