Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk search with PowerShell SDK using inputlooup

kraber
Explorer
‎03-20-2014 08:26 AM

I'm trying to use the PowerShell Splunk SDK to gather information that we have saved in a lookup file. When I attempt to search with Search-Splunk -Search "| inputlookup file.csv" I receive the following error message: Error in 'inputlookup' command: This command must be the first command of a search. Also, Unexpected XML declaration.

The search in double quotes works fine from the web interface, but fails when using the PowerShell SDK. Is this an issue with how the REST API handles searches? Has anyone come across this before or know of any solutions? Thank you.

Reply

jmccord
Engager
‎09-24-2015 06:20 AM

Ran into this today too. I added a search to a non-existent index to the beginning and changed the inputlookup to append:

index=fakeindex | inputlookup append=t file.csv

Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎03-21-2014 10:49 AM

I haven't tried that myself, but isn't it just telling you to leave off the "|" or to make it "search|" ?? I think the rest endpoint needs you to be explicit about search, where the web UI implies it.

0 Karma
Reply

kraber
Explorer
‎03-25-2014 04:44 AM

A simple keyword search did work and returned results. I attempted to use their REST implementation and left out the "search" No dice.

0 Karma
Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎03-21-2014 11:20 AM

Ok, I change my answer to ... the opposite of what I said the first time. The problem is that the cmdlet is ADDING the "Search" ...

0 Karma
Reply

halr9000
Motivator
‎03-21-2014 11:15 AM

Does a simple keyword search work?

0 Karma
Reply

kraber
Explorer
‎03-21-2014 10:56 AM

Leaving off the pipe returns no results. Adding "Search |" throws the same error text as just having the pipe. I dug through the Search-Splunk command, it prepends/adds the implied search when in invokes the REST API. I also tried using the REST API with the format of how Search-Splunk is coded with no success.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...