Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Downloading lookup files via API returning 403 Forbidden

random_event
Explorer
‎10-20-2023 10:06 AM

I just updated the Splunk App for Lookup File Editing to the latest and now I can no longer download lookup files via CLI.  This has been working flawlessly in Splunk Cloud when I was running v3.6.0 but just updated to 4.0.1 (v4.0.2 not available in Cloud yet) and now I am getting 403 errors.

Through testing, I verified lookup endpoint is still valid, lookup shared at global level, and I even changed the permissions of the account to be sc_admin but still experiencing the same issue.  Has anyone else come across this and found a solution?  Same error no matter which lookup file I attempt to download.

My test command

 

python3 lut.py -app search -l geo_attr_countries.csv -app search
INFO:root:list of lookups to download: ['geo_attr_countries.csv']
ERROR:root:[failed] Error: Downloading file: 'geo_attr_countries.csv', status:403, reason:Forbidden, url:https://[REDACTED].splunkcloud.com:8089/services/data/lookup_edit/lookup_contents?lookup_type=csv&namespace=search&lookup_file=geo_attr_countries.csv

 

 Python script from here

Tags (1)
0 Karma
Reply

PTC_
Explorer
‎03-28-2024 04:01 AM

Was the issue fixed?
I'm having the exactly same issue and weeks ago it was working fine.

No change was done to the lookup/dataset permissions and the user I'm using to access is the owner of the lookup.

Could this be related to a splunk certificate being expired?
or something else?

0 Karma
Reply

random_event
Explorer
‎03-28-2024 06:21 AM

Unfortunately, I never found a solution.  If you happen to find the fix, please reply with it.

0 Karma
Reply

dsanders80
Loves-to-Learn Lots
‎12-06-2023 01:12 PM

You need to supply the owner in your call.  Just add "&owner=nobody" if it is a global lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...