- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: Using inputlookup with external_cmd
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Is it possible to use inputlookup to pull a list of information from a scripted lookup?
The documentation for inputlookup seems to suggest this is possible:
The lookup table can be configured for any lookup type (CSV, external, or KV store)._
But the documentation for transforms.conf where the scripted input is defined states
Your external lookup script must take in a partially empty CSV file and output a filled-in CSV file
Which implies that it can't be used with a generating command like inputlookup.
I'm trying to pull in a CSV from a threat intel feed but in a way that would allow me to do so using a scheduled search rather than a scripted input or modular input. Any thoughts on how best to do this if using a scripted input with inputlook isn't possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When running
| inputlookup testlookup
(which is an external lookup) I get the error message:
The lookup table 'testlookup' requires a .csv or KV store lookup definition
... so I assume this isn't an intended use case.
Quite a bummer because (as per some of my earlier posts) custom search commands kind of suck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I converted my script to work as a search command not long after posting the question. I agree that it looks like a search command or modular input are the way to go, but I believe that Splunk should update their documentation for inputlookup if it's not possible to use scripted lookups with this command (as the documentation currently states).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've send a comment on the documentation page for inputlookup to query whether the statement that inputlookup will work with scripted lookups is correct or not. I suspect it is incorrect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup the docs feedback is the best way to get Splunk to update the docs. The docs team watches it carefully.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search logs show:
03-08-2017 10:20:03.398 WARN SearchOperator:inputcsv - sid:1488932400.14 The lookup table 'testlookup' is invalid.
So it looks like, possibly, it's trying to load my scripted lookup using inputcsv?
Monitoring MariaDB and MySQL
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
