Federated Search -How do I create lookup file with...

discenzadoe · ‎03-16-2022

We are working with several remote datasets that are combined to give our end user a specific result.

Federated Search gives us an LDAP dn, which we are trying to use to pull enhancing information from another remote source via a REST API. The following search works:

index=federated:remote_dataset userid="cn=" | \
      eval dn=lower(userid) | \
      dedup dn | \
      table dn

The idea is to use a scheduled search to populate a csv with a list of DNs at the top of every hour, then use a cron job to spawn a python script which generates a new CSV that contains the DN and the enhancing data from the REST API source. Our python script is working, however when we add "|outputlookup dn.csv append=true" to the otherwise functional SPL, we get nothing.

This fails:

index=federated:remote_dataset userid="cn=" | \
      eval dn=lower(userid) | \
      dedup dn | \
      table dn | \
      outputlookup dn.csv append=true

Is this a limitation of Federated Search?

Thank you

somesoni2 · ‎03-17-2022

Do you see any error when running the search? (in Job dropdown you should see some message).

Federated Search -How do I create lookup file with results?

CSV

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM