Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Dynamic Lookup issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dynamic Lookup issue
By trying to run a python script for a dynamic lookup I get the following error
Error in 'lookup' command: The lookup
table 'externalLookup' does not exist.
My Query is like this:
source=* | lookup externalLookup value OUTPUT returnString | chart count by returnString
I was trying to add the externalLookup.py inside the Search folder
/splunk/etc/apps/search/bin
The transforms.conf and the props.conf are in the directory:
It's inside the folder /splunk/etc/apps/search/local
transforms.conf
[externalLookup]
external_cmd = externalLookup.py value returnString
external_type = python
fields_list = value, returnString
props.conf
[externalLookup]
LOOKUP-table=externalLookup value OUTPUT returnString
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regards to your fast Answer but It's still not working,
Therefore I wrote this dummy script to test how to make dynamical Lookups:
import csv
import sys
import os
import logging
import traceback
LOG_FILENAME = '/tmp/external-lookup.log'
LOG_FORMAT = "[%(asctime)s] %(name)s %(levelname)s: %(message)s"
logging.basicConfig(filename=LOG_FILENAME,level=logging.DEBUG,format=LOG_FORMAT)
logger = logging.getLogger('mylookupscript')
logger.debug("Called with params: {}".format(sys.argv))
ifile = open(r'/../File', 'r')
csvFile = csv.reader(ifile, delimiter=",")
inputIpCsv = csv.reader(sys.stdin)
first = True
try:
for line in inputIpCsv:
if first:
header = line
logger.debug("CSV header: {}".format(line))
w = csv.writer(sys.stdout)
w.writerow(["value", "returnString"])
first = False
else:
result = ["value ", "Stuff"]
logger.debug("Processing: {}, wrote: {}".format(line, result))
w.writerow(result)
except Exception as ex:
traceback.print_exc()
logger.exception("Exception: ")
ifile.close()
The python script shows answers on the command line but Splunk still shows no Response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've not composed my own scripted input, so I don't know why it's not working in splunk. I will recommend checking out the scripted inputs included in the app as potential reference. (etc/system/bin/external_lookup.py for example)
Good luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your props.conf stanza indicates that the lookup only applies to the [externalLookup] sourcetype. Is that intended? If you're planning to manually invoke the lookup in search (as in your example) then there doesn't need to be anything in props.conf for this.
Your lookup script itself should live in etc/apps/search/lookups/ as well, not /bin.
Finally, the last question is scope. As configured, the lookup is only available in the search app context. If you're in another app, it will give you the error you're seeing. You can change this by adding an export to /etc/apps/search/metadata/local.meta
[lookups]
export = system
You may also need to restart splunk for the lookup to be visible.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
