Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk API request for inputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone, we have another internal team that is trying to use the API to return some data we built for them. Unfortunately, they aren't able to get the payload but only the headers. Can someone suggest a solution or what we are doing wrong? the below is the response from the splunk API on their call.
Target: https://SomeHost:Port/servicesNS/user/search/search/jobs/export
Request body:
search=search inputlookup somefile.csv | table Day User emp_id Data
Response:
<results preview='0'>
<meta>
<fieldOrder>
<field>Day</field>
<field>User</field>
<field>emp_id</field>
<field>Data</field>
</fieldOrder>
</meta>
</results>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PickleRick , thanks for leading us down the path. We actually had to append to get the data. What worked was the code below. Thank you for getting us there.
search=search NOT * | inputlookup somefile.csv append=true | table Day User emp_id Data- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PickleRick , thanks for leading us down the path. We actually had to append to get the data. What worked was the code below. Thank you for getting us there.
search=search NOT * | inputlookup somefile.csv append=true | table Day User emp_id Data- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rick. We will give this a shot and let you know the results. Appreciate you helping.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not entirely clear what you're trying to achieve.
The search
search=search inputlookup somefile.csv
will try to find events which contain literarily "inputtlookup" and "somefile.csv" strings in them (and of course field named search with value "search" but that's most probably a placeholder for some other part of a search).
So your initial search matches no results and the table command has no data to process so you only get column headers.
If you want the contents of a lookup, you need an inputlookup command on its own:
| inputlookup somefile.csv | table your set of fields
If you want the lookup to be applied to results of a search, just use lookup command
your search | lookup somefile.csv field | table [...]
If you want to append the results of the inputlookup command to the results of a search, just use inputlookup with append=true option
your search | inputlookup append=true somefile.csv | table [...]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
