Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search with PowerShell SDK using inputlooup

kraber
Explorer
‎03-20-2014 08:26 AM

I'm trying to use the PowerShell Splunk SDK to gather information that we have saved in a lookup file. When I attempt to search with Search-Splunk -Search "| inputlookup file.csv" I receive the following error message: Error in 'inputlookup' command: This command must be the first command of a search. Also, Unexpected XML declaration.

The search in double quotes works fine from the web interface, but fails when using the PowerShell SDK. Is this an issue with how the REST API handles searches? Has anyone come across this before or know of any solutions? Thank you.

Reply

jmccord
Engager
‎09-24-2015 06:20 AM

Ran into this today too. I added a search to a non-existent index to the beginning and changed the inputlookup to append:

index=fakeindex | inputlookup append=t file.csv

Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎03-21-2014 10:49 AM

I haven't tried that myself, but isn't it just telling you to leave off the "|" or to make it "search|" ?? I think the rest endpoint needs you to be explicit about search, where the web UI implies it.

0 Karma
Reply

kraber
Explorer
‎03-25-2014 04:44 AM

A simple keyword search did work and returned results. I attempted to use their REST implementation and left out the "search" No dice.

0 Karma
Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎03-21-2014 11:20 AM

Ok, I change my answer to ... the opposite of what I said the first time. The problem is that the cmdlet is ADDING the "Search" ...

0 Karma
Reply

halr9000
Motivator
‎03-21-2014 11:15 AM

Does a simple keyword search work?

0 Karma
Reply

kraber
Explorer
‎03-21-2014 10:56 AM

Leaving off the pipe returns no results. Adding "Search |" throws the same error text as just having the pipe. I dug through the Search-Splunk command, it prepends/adds the implied search when in invokes the REST API. I also tried using the REST API with the format of how Search-Splunk is coded with no success.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...