Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting error "can't find xxx.csv" using a oneshot search and lookup via Python?

afg797s
Engager
‎12-13-2015 04:04 PM

Hello all,

I am trying to run a oneshot search in Python that contains a lookup function of a .csv. I can run any other search through my Python app as long as it doesn't contain a lookup. When I run the search in Splunk it works fine. When I run the lookup in Python, I get an error saying can't find xxx.csv. Is there a way to use a oneshot search and lookup via python?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-14-2015 03:37 AM

Yes, and you're probably doing it correctly... except for I'm assuming the lookup "doesnt exists" for one of the following reasons:

User you're using with oneshot doesnt have read access to lookup (splunk permissions fix)
Lookup.csv is owned by someone other than the user that is running splunkd (linux permissions / chown to fix)
Lookup.csv is not on the server you're querying

Also you should enable_lookups on your oneshot:

There's a good explanation here under "GET search/jobs/export"... search the page for enable_lookups. Sometimes it defaults to true, but not always... and maybe they've changed it to default to false, etc.

http://dev.splunk.com/view/java-sdk/SP-CAAAEHQ

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-14-2015 03:37 AM

Yes, and you're probably doing it correctly... except for I'm assuming the lookup "doesnt exists" for one of the following reasons:

User you're using with oneshot doesnt have read access to lookup (splunk permissions fix)
Lookup.csv is owned by someone other than the user that is running splunkd (linux permissions / chown to fix)
Lookup.csv is not on the server you're querying

Also you should enable_lookups on your oneshot:

There's a good explanation here under "GET search/jobs/export"... search the page for enable_lookups. Sometimes it defaults to true, but not always... and maybe they've changed it to default to false, etc.

http://dev.splunk.com/view/java-sdk/SP-CAAAEHQ

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...