Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud: Lookups

Gravoc
Observer
‎09-25-2024 08:38 AM

Hi Splunk Experts,

I hope to get a quick hint on my issue. I have a Splunk Cloud setup with two search heads, one of which is dedicated to Enterprise Security. I have different lookups on this search head containing, e.g., all user attributes. I wanted to enhance a specific search using the lookup command as described in the documentation.

Additionally, I can access and view the lookup with the inputlookup command, confirming the file’s existence and proper permissions on the search head.

The search I have trouble with (simplified):

 

index=main source_type=some_event_related_to_users
| lookup ldap_users.csv identity as src_user

 

However, this search instantaneously fails with:

 

[idx-[...].splunkcloud.com,idx-[...].splunkcloud.com,idx-[...].splunkcloud.com] The lookup table 'ldap_users.csv' does not exist or is not available.

 

 

I must confess I am rather new to Splunk and even newer to running a Splunk cluster. So I do not really understand why my indexers are looking for the file in the first place. I assumed that the search head would handle the lookup. In addition, as I am a Splunk Cloud customer, I don’t have access to the indexers anyway.

Can someone give me a pointer on how to achieve such a query in a Splunk Cloud Environment?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 08:48 AM

Hi @Gravoc ,

at first check if the lookup name is correct (it's case sensitive).

Then check if you see the lookup using the Splunk Lookup Editor App.

Then check if you have created also the Lookup definition for this lookup.

At least check the grants on lookup and lookup definition.

Ciao.

Giuseppe

0 Karma
Reply

Gravoc
Observer
‎09-26-2024 12:28 AM

Hi @gcusello,

thanks for giving this quick reply.

 

I checked the filename either manually and second time by using the following command:

| inputlookup ldap_users.csv

 

This returns the lookup as expected.

I can see and edit my lookup with the lookup editor app.

I also created an Lookup definition and set the permissions on both the lookup and the lookup definition to global read. I also use the lookup in my Enterprise Security Asset Management - and there it works flawlessly.

 

However, I managed to just utilize the merged identity lookup that Enterprise Security creates. It is not the solution to the original problem - but solves my usecase.

 

So for me the solution is to just utlitze another lookup:

index=main source_type=some_event_related_to_users 
| lookup identity_lookup_expanded identity as src_user

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-26-2024 05:43 AM

Hi @Gravoc ,
maybe you created the lookup in a different app and didn't add the Global sharing level to the lookup and to the definition.

Instead the ES lookups are shared at Global level, probably for this reason it runs.

Try to share as Global lookup and dedinition.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...