Splunk Dev

Using inputlookup with external_cmd

cygnetix
Path Finder

Hi all,

Is it possible to use inputlookup to pull a list of information from a scripted lookup?

The documentation for inputlookup seems to suggest this is possible:

The lookup table can be configured for any lookup type (CSV, external, or KV store)._

But the documentation for transforms.conf where the scripted input is defined states

Your external lookup script must take in a partially empty CSV file and output a filled-in CSV file

Which implies that it can't be used with a generating command like inputlookup.

I'm trying to pull in a CSV from a threat intel feed but in a way that would allow me to do so using a scheduled search rather than a scripted input or modular input. Any thoughts on how best to do this if using a scripted input with inputlook isn't possible?

1 Solution

starcher
Influencer

If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

View solution in original post

0 Karma

spunk_enthusias
Path Finder

When running

 

| inputlookup testlookup

 

(which is an external lookup) I get the error message:

The lookup table 'testlookup' requires a .csv or KV store lookup definition

... so I assume this isn't an intended use case.

Quite a bummer because (as per some of my earlier posts) custom search commands kind of suck.

0 Karma

starcher
Influencer

If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand

0 Karma

cygnetix
Path Finder

I converted my script to work as a search command not long after posting the question. I agree that it looks like a search command or modular input are the way to go, but I believe that Splunk should update their documentation for inputlookup if it's not possible to use scripted lookups with this command (as the documentation currently states).

0 Karma

cygnetix
Path Finder

I've send a comment on the documentation page for inputlookup to query whether the statement that inputlookup will work with scripted lookups is correct or not. I suspect it is incorrect.

0 Karma

starcher
Influencer

Yup the docs feedback is the best way to get Splunk to update the docs. The docs team watches it carefully.

0 Karma

cygnetix
Path Finder

Search logs show:

03-08-2017 10:20:03.398 WARN SearchOperator:inputcsv - sid:1488932400.14 The lookup table 'testlookup' is invalid.

So it looks like, possibly, it's trying to load my scripted lookup using inputcsv?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...