Splunk Search

Why is external_lookup.py not working?

a212830
Champion

Hi,

I have a search that suddenly stopped working. It does an dns lookup using a lookup file. The errors are below. I tested the dns lookup directly and it worked, but for some reason this search stopped working. The lookup input exists, and the permissions are correct and it has data.

The search:

index=network90 sourcetype=dns_syslog 
    [| inputlookup snhostname.csv 
    | fields syshostname ] 
| lookup dnslookup clientip as clientip OUTPUT clienthost as clienthostname 
| rex field=syshostname "(?<f1>[^.]*)" 
| rex field=clienthostname "(?<f2>[^.]*)" 
| eval shostname= upper(f1) 
| eval chostname= upper(f2) 
| convert timeformat="%Y-%m-%d" ctime(_time) AS ctime 
| stats count(chostname) by shostname chostname clientip ctime

Here are the errors:

22 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
The limit has been reached for log messages in info.csv. 1 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
[l16oma2] Could not find 'external_lookup.py'. It is required for lookup 'dnslookup'.
[l16oma2] Streamed search execute failed because: Error in 'lookup' command: The lookup table 'dnslookup' does not exist or is not available.
[l18oma2] Could not find 'external_lookup.py'. It is required for lookup 'dnslookup'.
[l18oma2] Streamed search execute failed because: Error in 'lookup' command: The lookup table 'dnslookup' does not exist or is not available.
[l39oma1] Could not find 'external_lookup.py'. It is required for lookup 'dnslookup'.
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Errors show the lookup are "missing". Since you said it worked when you ran it manually, I'm guessing it's a permissions issue.

The lookup likely lives in an app - the same app that you ran the search manually from.

The savedsearch probably lives in another app, and from that app-context, it doesn't have permission to see the lookup.

Someone probably changed the app or lookup's permissions from global recently...

0 Karma

a212830
Champion

That was my initial thought... but the lookup (snhostname.csv) appears in all apps and is read/write to everyone.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hmmm. What about external_lookup.py? That's what the messages are stating is missing, not the csv file.

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...