Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Cloud: Lookups

Gravoc
Observer
‎09-25-2024 08:38 AM

Hi Splunk Experts,

I hope to get a quick hint on my issue. I have a Splunk Cloud setup with two search heads, one of which is dedicated to Enterprise Security. I have different lookups on this search head containing, e.g., all user attributes. I wanted to enhance a specific search using the lookup command as described in the documentation.

Additionally, I can access and view the lookup with the inputlookup command, confirming the file’s existence and proper permissions on the search head.

The search I have trouble with (simplified):

 

index=main source_type=some_event_related_to_users
| lookup ldap_users.csv identity as src_user

 

However, this search instantaneously fails with:

 

[idx-[...].splunkcloud.com,idx-[...].splunkcloud.com,idx-[...].splunkcloud.com] The lookup table 'ldap_users.csv' does not exist or is not available.

 

 

I must confess I am rather new to Splunk and even newer to running a Splunk cluster. So I do not really understand why my indexers are looking for the file in the first place. I assumed that the search head would handle the lookup. In addition, as I am a Splunk Cloud customer, I don’t have access to the indexers anyway.

Can someone give me a pointer on how to achieve such a query in a Splunk Cloud Environment?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 08:48 AM

Hi @Gravoc ,

at first check if the lookup name is correct (it's case sensitive).

Then check if you see the lookup using the Splunk Lookup Editor App.

Then check if you have created also the Lookup definition for this lookup.

At least check the grants on lookup and lookup definition.

Ciao.

Giuseppe

0 Karma
Reply

Gravoc
Observer
‎09-26-2024 12:28 AM

Hi @gcusello,

thanks for giving this quick reply.

 

I checked the filename either manually and second time by using the following command:

| inputlookup ldap_users.csv

 

This returns the lookup as expected.

I can see and edit my lookup with the lookup editor app.

I also created an Lookup definition and set the permissions on both the lookup and the lookup definition to global read. I also use the lookup in my Enterprise Security Asset Management - and there it works flawlessly.

 

However, I managed to just utilize the merged identity lookup that Enterprise Security creates. It is not the solution to the original problem - but solves my usecase.

 

So for me the solution is to just utlitze another lookup:

index=main source_type=some_event_related_to_users 
| lookup identity_lookup_expanded identity as src_user

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2024 05:43 AM

Hi @Gravoc ,
maybe you created the lookup in a different app and didn't add the Global sharing level to the lookup and to the definition.

Instead the ES lookups are shared at Global level, probably for this reason it runs.

Try to share as Global lookup and dedinition.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...