Archive

Splunk external lookup script within app not running

Explorer

Based on the documentation:

The script must be located in one of two places:
$SPLUNK_HOME/etc/searchscripts
$SPLUNK_HOME/etc/apps/<app_name>/bin
See "More about the external lookup script" for more information about how such scripts work.

When I have the script within the apps/<app_name>/bin directory it is never picked up. When I move it to the searchscripts directory it runs just fine. Is the ability to have external lookup scripts within an app not possible? (Splunk 6.3)

Here is my transforms.conf:

[testLookup]
external_cmd=test_lookup.py testField1 testField2
external_type=python
fields_list=testField1, testField2

Communicator

I had the same issue on Splunk 6.4.4 and had to make sure, that the metadata/default.meta included not only the permission for the lookup. I simply added:

[]
access = read : [ * ], write : [ * ]
export = system
0 Karma

Communicator

I have the same problem.

Here's the very basic lookup script I've created (external_lookup.py)

import logging

logging.basicConfig(filename='/tmp/splunk-external_lookup-hello.log',level=logging.DEBUG)
logging.debug("foo")

If I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin, I get the error

Could not find 'external_lookup.py'. It is required for lookup 'external_lookup'.

But if I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin it works fine.

0 Karma

SplunkTrust
SplunkTrust

I don't know for sure if this matters, but is your transforms in the same app you are putting the script in?

0 Karma

Explorer

Yes my transforms.conf is in the app.

0 Karma

Path Finder

are you on NT or *nix, and what are the permissions on the script?

0 Karma

Explorer

*nix and I have given execute permissions to the user (splunk) and all just to make sure it can get access to it.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!