Python scripted lookup doesn't produce any results

ultra · ‎01-03-2011

Hi, I have created an scripted lookup (app) that looks up data in MongoDB and returns some results.

I have used an existing lookup (that works) as a template. When I test my lookup from the console with ~/bin/splunk cmd python lookup.py < input.csv it works (just as the other script that I used as a base), however, when searching from splunk it returns no result:

app.conf

[ui] is_visible = false label = MongoLookup

transforms.conf

[mlookup] external_cmd = lookup.py fields_list = clientuid country cref refid

Searching with: index="idx_XXXXXX" sourcetype="YYYYYYY" | lookup mlookup clientuid as userID | table userID, country

I get no results for country,cref,refid

Is there a way I could see what's splunk doing when calling my script?

Ron_Naken · ‎02-03-2011

The error output of scripted inputs is indexed by Splunk in the _internal index. You can search the errors with a similar search to the following:

index="_internal" error myscript.sh

You should see notices that look like "ERROR ExecProcessor", followed by the script path/name.

This data is also kept in $SPLUNK_HOME/var/log/splunk in splunkd.log.

HTH,
Ron

Python scripted lookup doesn't produce any results

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Python scripted lookup doesn't produce any results

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever