Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AppInspect check_all_lookups_are_used too restrictive?

Graham_Hanningt
Builder
‎03-04-2020 12:08 AM

Except from an AppInspect report:

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_all_lookups_are_used
Lookup file my_trans.csv is not referenced in transforms.conf. File: default/transforms.conf

The report is correct: my_trans.csv (not its real name) is not referenced in transforms.conf.

However, my_trans.csv is referenced by a macro in the app. From the app's macros.conf:

[myapp_exclude_my_trans]
definition = NOT [|inputlookup my_trans.csv]

From the description of this check in the AppInspect docs:

Check that all files in the /lookups directory are referenced in transforms.conf.

Why must files in the /lookups directory be referenced in transforms.conf?

Do I really need to add:

[mylookuptable]
filename = my_trans.csv

just to satisfy AppInspect?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-04-2020 02:25 AM

@Graham_Hannington

I think Yes, you should use lookup name instead of a file name in macros.conf.

transforms.conf

[mylookuptable]
filename = my_trans.csv

macros.conf

[myapp_exclude_my_trans]
definition = NOT [|inputlookup mylookuptable ]

Can you please try it?

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-04-2020 02:25 AM

@Graham_Hannington

I think Yes, you should use lookup name instead of a file name in macros.conf.

transforms.conf

[mylookuptable]
filename = my_trans.csv

macros.conf

[myapp_exclude_my_trans]
definition = NOT [|inputlookup mylookuptable ]

Can you please try it?

Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎03-04-2020 05:35 AM

@kamlesh_vaghela ,

Thank you! Yes, I've tried it, and it works.

I had completely overlooked what you describe: that the inputlookup command can refer to a transforms.conf stanza name instead of the .csv file name. That explains a lot! In particular, as @nickhillscpl points out (thank you, too!) why AppInspect checks this. I "get it" now.

Thanks again to both of you for your advice, much appreciated. I'm now one step closer to that AppInspect badge.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-04-2020 05:38 AM

Great news!, I have added @kamlesh_vaghela's comment as an answer. Please accept it and upvote any posts that helped!

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

Graham_Hanningt
Builder
‎03-04-2020 05:37 AM

@kamlesh_vaghela ,

If you feel like converting your comment into an answer, I'll accept it.

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎03-04-2020 03:41 AM

building on @kamlesh_vaghela's answer. Best practice is not to use lookup csv files directly.
The reason for this is that you can not define some of the lookup options such as match results or wildcard matching etc without using a definition.
It also allows for future expansion to move to KV store without having to reconstruct your knowledge objects.
This is why the process encourages you to use a lookup definition, and use that definition name in your searches and macros in place of the csv filename.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-27-2023 11:38 PM

@nickhills Just came across your comment, which made me chuckle, that the appinspect process encourages us to use definitions - while I agree with the principle of using definitions, I would say that a hard failure is not exactly an encouragement - it's a pointblank computer say NO 😏

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...