Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Downloading lookup files via API returning 403 Forbidden

random_event
Explorer
‎10-20-2023 10:06 AM

I just updated the Splunk App for Lookup File Editing to the latest and now I can no longer download lookup files via CLI.  This has been working flawlessly in Splunk Cloud when I was running v3.6.0 but just updated to 4.0.1 (v4.0.2 not available in Cloud yet) and now I am getting 403 errors.

Through testing, I verified lookup endpoint is still valid, lookup shared at global level, and I even changed the permissions of the account to be sc_admin but still experiencing the same issue.  Has anyone else come across this and found a solution?  Same error no matter which lookup file I attempt to download.

My test command

 

python3 lut.py -app search -l geo_attr_countries.csv -app search
INFO:root:list of lookups to download: ['geo_attr_countries.csv']
ERROR:root:[failed] Error: Downloading file: 'geo_attr_countries.csv', status:403, reason:Forbidden, url:https://[REDACTED].splunkcloud.com:8089/services/data/lookup_edit/lookup_contents?lookup_type=csv&namespace=search&lookup_file=geo_attr_countries.csv

 

 Python script from here

Tags (1)
0 Karma
Reply

PTC_
Explorer
‎03-28-2024 04:01 AM

Was the issue fixed?
I'm having the exactly same issue and weeks ago it was working fine.

No change was done to the lookup/dataset permissions and the user I'm using to access is the owner of the lookup.

Could this be related to a splunk certificate being expired?
or something else?

0 Karma
Reply

random_event
Explorer
‎03-28-2024 06:21 AM

Unfortunately, I never found a solution.  If you happen to find the fix, please reply with it.

0 Karma
Reply

dsanders80
Loves-to-Learn Lots
‎12-06-2023 01:12 PM

You need to supply the owner in your call.  Just add "&owner=nobody" if it is a global lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...