Downloading lookup files via API returning 403 For...

random_event · ‎10-20-2023

I just updated the Splunk App for Lookup File Editing to the latest and now I can no longer download lookup files via CLI. This has been working flawlessly in Splunk Cloud when I was running v3.6.0 but just updated to 4.0.1 (v4.0.2 not available in Cloud yet) and now I am getting 403 errors.

Through testing, I verified lookup endpoint is still valid, lookup shared at global level, and I even changed the permissions of the account to be sc_admin but still experiencing the same issue. Has anyone else come across this and found a solution? Same error no matter which lookup file I attempt to download.

My test command

python3 lut.py -app search -l geo_attr_countries.csv -app search
INFO:root:list of lookups to download: ['geo_attr_countries.csv']
ERROR:root:[failed] Error: Downloading file: 'geo_attr_countries.csv', status:403, reason:Forbidden, url:https://[REDACTED].splunkcloud.com:8089/services/data/lookup_edit/lookup_contents?lookup_type=csv&namespace=search&lookup_file=geo_attr_countries.csv

Python script from here

PTC_ · ‎03-28-2024

Was the issue fixed?
I'm having the exactly same issue and weeks ago it was working fine.

No change was done to the lookup/dataset permissions and the user I'm using to access is the owner of the lookup.

Could this be related to a splunk certificate being expired?
or something else?

random_event · ‎03-28-2024

Unfortunately, I never found a solution. If you happen to find the fix, please reply with it.

dsanders80 · ‎12-06-2023

You need to supply the owner in your call. Just add "&owner=nobody" if it is a global lookup.

Downloading lookup files via API returning 403 Forbidden

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?