I'm trying to use the PowerShell Splunk SDK to gather information that we have saved in a lookup file. When I attempt to search with
Search-Splunk -Search "| inputlookup file.csv" I receive the following error message: Error in 'inputlookup' command: This command must be the first command of a search. Also, Unexpected XML declaration.
The search in double quotes works fine from the web interface, but fails when using the PowerShell SDK. Is this an issue with how the REST API handles searches? Has anyone come across this before or know of any solutions? Thank you.
I haven't tried that myself, but isn't it just telling you to leave off the "|" or to make it "search|" ?? I think the rest endpoint needs you to be explicit about search, where the web UI implies it.
Leaving off the pipe returns no results. Adding "Search |" throws the same error text as just having the pipe. I dug through the Search-Splunk command, it prepends/adds the implied search when in invokes the REST API. I also tried using the REST API with the format of how Search-Splunk is coded with no success.