All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk external lookup script within app not running

ShawnClark
Explorer
‎09-24-2015 10:38 AM

Based on the documentation:

The script must be located in one of two places:
$SPLUNK_HOME/etc/searchscripts
$SPLUNK_HOME/etc/apps/<app_name>/bin
See "More about the external lookup script" for more information about how such scripts work.

When I have the script within the apps/<app_name>/bin directory it is never picked up. When I move it to the searchscripts directory it runs just fine. Is the ability to have external lookup scripts within an app not possible? (Splunk 6.3)

Here is my transforms.conf:

[testLookup]
external_cmd=test_lookup.py testField1 testField2
external_type=python
fields_list=testField1, testField2
Reply

goelli
Communicator
‎01-06-2017 03:24 PM

I had the same issue on Splunk 6.4.4 and had to make sure, that the metadata/default.meta included not only the permission for the lookup. I simply added:

[]
access = read : [ * ], write : [ * ]
export = system
Reply

supersleepwalke
Communicator
‎07-15-2016 10:07 AM

I have the same problem.

Here's the very basic lookup script I've created (external_lookup.py)

import logging

logging.basicConfig(filename='/tmp/splunk-external_lookup-hello.log',level=logging.DEBUG)
logging.debug("foo")

If I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin, I get the error

Could not find 'external_lookup.py'. It is required for lookup 'external_lookup'.

But if I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin it works fine.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎09-28-2015 05:41 AM

I don't know for sure if this matters, but is your transforms in the same app you are putting the script in?

0 Karma
Reply

ShawnClark
Explorer
‎09-28-2015 10:33 AM

Yes my transforms.conf is in the app.

0 Karma
Reply

scruse
Path Finder
‎09-25-2015 04:17 PM

are you on NT or *nix, and what are the permissions on the script?

0 Karma
Reply

ShawnClark
Explorer
‎09-28-2015 10:33 AM

*nix and I have given execute permissions to the user (splunk) and all just to make sure it can get access to it.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...