Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What are we doing wrong in our Splunk API request for inputlookup?

jnichols914
Explorer
‎08-08-2022 07:11 AM

Hi Everyone, we have another internal team that is trying to use the API to return some data we built for them. Unfortunately, they aren't able to get the payload but only the headers. Can someone suggest a solution or what we are doing wrong? the below is the response from the splunk API on their call.

 

Target: https://SomeHost:Port/servicesNS/user/search/search/jobs/export 

Request body:

 

 

 

 

search=search inputlookup somefile.csv | table Day User emp_id Data

 

 

 

 

 

Response:

 

 

 

 

<results preview='0'>
<meta>
<fieldOrder>
<field>Day</field>
<field>User</field>
<field>emp_id</field>
<field>Data</field>
</fieldOrder>
</meta>
</results>

 

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnichols914
Explorer
‎08-10-2022 07:04 AM

@PickleRick , thanks for leading us down the path. We actually had to append to get the data. What worked was the code below. Thank you for getting us there.

search=search NOT * | inputlookup somefile.csv append=true | table Day User emp_id Data

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jnichols914
Explorer
‎08-10-2022 07:04 AM

@PickleRick , thanks for leading us down the path. We actually had to append to get the data. What worked was the code below. Thank you for getting us there.

search=search NOT * | inputlookup somefile.csv append=true | table Day User emp_id Data
0 Karma
Reply
Solved! Jump to solution

jnichols914
Explorer
‎08-10-2022 06:24 AM

Thanks Rick. We will give this a shot and let you know the results. Appreciate you helping.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-08-2022 07:59 AM

It's not entirely clear what you're trying to achieve.

The search

search=search inputlookup somefile.csv

will try to find events which contain literarily "inputtlookup" and "somefile.csv" strings in them (and of course field named search with value "search" but that's most probably a placeholder for some other part of a search).

So your initial search matches no results and the table command has no data to process so you only get column headers.

If you want the contents of a lookup, you need an inputlookup command on its own:

| inputlookup somefile.csv | table your set of fields

If you want the lookup to be applied to results of a search, just use lookup command

your search | lookup somefile.csv field | table [...]

If you want to append the results of the inputlookup command to the results of a search, just use inputlookup with append=true option

your search | inputlookup append=true somefile.csv | table [...]
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...