Developing for Splunk Enterprise

Using inputlookup with external_cmd

Path Finder

Hi all,

Is it possible to use inputlookup to pull a list of information from a scripted lookup?

The documentation for inputlookup seems to suggest this is possible:

The lookup table can be configured for any lookup type (CSV, external, or KV store)._

But the documentation for transforms.conf where the scripted input is defined states

Your external lookup script must take in a partially empty CSV file and output a filled-in CSV file

Which implies that it can't be used with a generating command like inputlookup.

I'm trying to pull in a CSV from a threat intel feed but in a way that would allow me to do so using a scheduled search rather than a scripted input or modular input. Any thoughts on how best to do this if using a scripted input with inputlook isn't possible?

1 Solution

SplunkTrust
SplunkTrust

If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

View solution in original post

0 Karma

Path Finder

I converted my script to work as a search command not long after posting the question. I agree that it looks like a search command or modular input are the way to go, but I believe that Splunk should update their documentation for inputlookup if it's not possible to use scripted lookups with this command (as the documentation currently states).

0 Karma

Path Finder

I've send a comment on the documentation page for inputlookup to query whether the statement that inputlookup will work with scripted lookups is correct or not. I suspect it is incorrect.

0 Karma

SplunkTrust
SplunkTrust

Yup the docs feedback is the best way to get Splunk to update the docs. The docs team watches it carefully.

0 Karma

Path Finder

Search logs show:

03-08-2017 10:20:03.398 WARN SearchOperator:inputcsv - sid:1488932400.14 The lookup table 'testlookup' is invalid.

So it looks like, possibly, it's trying to load my scripted lookup using inputcsv?

0 Karma