- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: External lookup failing with error code 1 - 6....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to get an external lookup to work (already have one other one working successfully), but I've been getting the following error:
Script for lookup table 'myTestLookup' returned error code 1. Results may be incorrect.
Calling the script manually works. The details are below. Any thoughts?
Splunk Search
index=* | head 1 | eval jobname="Test" | eval status="FAILURE" | lookup myTestLookup jobname status OUTPUT recipients | table jobname, status, recipients
transforms.conf
[myTestLookup]
external_cmd = myTestLookup.py jobname status recipients
external_type = python
fields_list = jobname, status, recipients
/tmp/Splunk/test.csv
jobname,status,recipients
"test","test",
command
splunk cmd python myTestLookup.py "test" "test" "" < /tmp/Splunk/test.csv
successful output
jobname,status,recipients
test,test,"test@test.com"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While waiting for this to post, I tried adding an absolute path in the script and it worked. Not sure where Splunk runs scripts from, but it's not the bin directory in the app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While waiting for this to post, I tried adding an absolute path in the script and it worked. Not sure where Splunk runs scripts from, but it's not the bin directory in the app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ho hortonew,
I agree the path could be a problem. Add some debugging to your script like this:
#myDebug="no" # debug disabled
myDebug="yes" # debug enabled
# get SPLUNK_HOME form OS
SPLUNK_HOME = os.environ['SPLUNK_HOME']
# get myScript name and path
myScript = os.path.basename(__file__)
myPath = os.path.dirname(os.path.realpath(__file__))
# define the logger to write into log file
def setup_logging(n):
logger = logging.getLogger(n)
if myDebug == "yes":
logger.setLevel(logging.DEBUG)
else:
logger.setLevel(logging.ERROR)
LOGGING_DEFAULT_CONFIG_FILE = os.path.join(SPLUNK_HOME, 'etc', 'log.cfg')
LOGGING_LOCAL_CONFIG_FILE = os.path.join(SPLUNK_HOME, 'etc', 'log-local.cfg')
LOGGING_STANZA_NAME = 'python'
LOGGING_FILE_NAME = "%s.log" % myScript
BASE_LOG_PATH = os.path.join('var', 'log', 'splunk')
LOGGING_FORMAT = "%(asctime)s %(levelname)-s\t%(module)s:%(lineno)d - %(message)s"
splunk_log_handler = logging.handlers.RotatingFileHandler(os.path.join(SPLUNK_HOME, BASE_LOG_PATH, LOGGING_FILE_NAME), mode='a')
splunk_log_handler.setFormatter(logging.Formatter(LOGGING_FORMAT))
logger.addHandler(splunk_log_handler)
splunk.setupSplunkLogger(logger, LOGGING_DEFAULT_CONFIG_FILE, LOGGING_LOCAL_CONFIG_FILE, LOGGING_STANZA_NAME)
return logger
# start the logger for troubleshooting
if myDebug == "yes": logger = setup_logging( "Logger started ..." ) # logger
This will produce a logfile for your script in $SPLUNK_HOME/var/log/splunk/
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only thing I can think of is in my script I'm opening a file with a relative path. Will that path not work when called by Splunk? For example:
with open("../lookups/test.csv", "rb") as infile:
etc...
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
