Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud: Lookups

Gravoc
Observer
‎09-25-2024 08:38 AM

Hi Splunk Experts,

I hope to get a quick hint on my issue. I have a Splunk Cloud setup with two search heads, one of which is dedicated to Enterprise Security. I have different lookups on this search head containing, e.g., all user attributes. I wanted to enhance a specific search using the lookup command as described in the documentation.

Additionally, I can access and view the lookup with the inputlookup command, confirming the file’s existence and proper permissions on the search head.

The search I have trouble with (simplified):

 

index=main source_type=some_event_related_to_users
| lookup ldap_users.csv identity as src_user

 

However, this search instantaneously fails with:

 

[idx-[...].splunkcloud.com,idx-[...].splunkcloud.com,idx-[...].splunkcloud.com] The lookup table 'ldap_users.csv' does not exist or is not available.

 

 

I must confess I am rather new to Splunk and even newer to running a Splunk cluster. So I do not really understand why my indexers are looking for the file in the first place. I assumed that the search head would handle the lookup. In addition, as I am a Splunk Cloud customer, I don’t have access to the indexers anyway.

Can someone give me a pointer on how to achieve such a query in a Splunk Cloud Environment?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 08:48 AM

Hi @Gravoc ,

at first check if the lookup name is correct (it's case sensitive).

Then check if you see the lookup using the Splunk Lookup Editor App.

Then check if you have created also the Lookup definition for this lookup.

At least check the grants on lookup and lookup definition.

Ciao.

Giuseppe

0 Karma
Reply

Gravoc
Observer
‎09-26-2024 12:28 AM

Hi @gcusello,

thanks for giving this quick reply.

 

I checked the filename either manually and second time by using the following command:

| inputlookup ldap_users.csv

 

This returns the lookup as expected.

I can see and edit my lookup with the lookup editor app.

I also created an Lookup definition and set the permissions on both the lookup and the lookup definition to global read. I also use the lookup in my Enterprise Security Asset Management - and there it works flawlessly.

 

However, I managed to just utilize the merged identity lookup that Enterprise Security creates. It is not the solution to the original problem - but solves my usecase.

 

So for me the solution is to just utlitze another lookup:

index=main source_type=some_event_related_to_users 
| lookup identity_lookup_expanded identity as src_user

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2024 05:43 AM

Hi @Gravoc ,
maybe you created the lookup in a different app and didn't add the Global sharing level to the lookup and to the definition.

Instead the ES lookups are shared at Global level, probably for this reason it runs.

Try to share as Global lookup and dedinition.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...