Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Federated Search -How do I create lookup file with results?

discenzadoe
Explorer
‎03-16-2022 12:47 PM

We are working with several remote datasets that are combined to give our end user a specific result. 

Federated Search gives us an LDAP dn, which we are trying to use to pull enhancing information from another remote source via a REST API.  The following search works:

 

index=federated:remote_dataset userid="cn=" | \
      eval dn=lower(userid) | \
      dedup dn | \
      table dn

 

The idea is to use a scheduled search to populate a csv with a list of DNs at the top of every hour, then use a cron job to spawn a python script which generates a new CSV that contains the DN and the enhancing data from the REST API source. Our python script is working, however when we add "|outputlookup dn.csv append=true" to the otherwise functional SPL, we get nothing.

This fails:

 

index=federated:remote_dataset userid="cn=" | \
      eval dn=lower(userid) | \
      dedup dn | \
      table dn | \
      outputlookup dn.csv append=true

 

Is this a limitation of Federated Search?

Thank you

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎03-17-2022 07:29 AM

Do you see any error when running the search? (in Job dropdown you should see some message).

0 Karma
Reply

_joe
Contributor
‎09-04-2024 05:19 AM

Similar issue. There are no error logs per say.  The search log shows the the output appears to be happening on the remote SH. 

Results written to file '/opt/splunk/etc/apps/search/lookups/mylookup.csv' on serverName=',<<remoteServerName>>

In other words, if I login to my local search head and run this and get an output of 100 entries:

| federated from:my report | outputlookup mylookup.csv

Then I run this (Again on the local search head), it will be empty:

| inputlookup mylookup.csv

 

 

0 Karma
Reply

_joe
Contributor
‎09-04-2024 08:42 AM

You can use '| append [ | noop ]' as a workaround:

| from federated <> 
| append [ | noop ]
| outputlookup <>.csv

 

0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...
Top