Splunk Search

Why is lookup command not working in Splunk REST API?

georgear7
Communicator

I'm consuming data from Splunk REST API endpoints for other purposes. However, it is throwing this error because I used the "lookup" command in the query. Could anyone assist me in resolving this issue?

If the "lookup" command is not used, the query works properly.


Error:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="FATAL">Error in 'lookup' command: Could not construct lookup 'master_sheet.csv, host, as, host, OUTPUT, LOB, Region, Application, Environment'. See search.log for more details.</msg>
</messages>
</response>

 

Query:
curl -k -u user:pass https://localhost:8089/services/search/jobs --data-urlencode search='search index=foo sourcetype=abc source=*fs.log | rex "(?<Date>.*)\|(?<Mounted>.*)\|(?<Size>.*)\|(?<Used>.*)\|(?<Avail>.*)\|(?<Used_PCT>.*)\|(?<Filesystem>.*)" | eval Used_PCT=replace(Used_PCT,"%","") | search Filesystem IN (/apps, /logs) | stats latest(*) as * by host,Filesystem | where Used_PCT>=80 | sort -Used_PCT | rename Used_PCT as "Use%" | table host,Filesystem,Size,Used,Avail,Use% | lookup master_sheet.csv host as host OUTPUT LOB,Region,Application,Environment | table host,LOB,Region,Application,Environment,Filesystem,Size,Used,Avail,"Use%"' -d id=mysearch_1234567

curl -u user:pass -k https://localhost:8089/services/search/jobs/mysearch_1234567/results --get -d output_mode=csv

 

Labels (1)
Tags (3)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Hi @georgear7,

1. Check if you can run the query in the search app
2. Check the API user role permissions to master_sheet.csv in Splunk

0 Karma

georgear7
Communicator

Hi @manjunathmeti ,

1. Check if you can run the query in the search app - Yes, it's runing fine & producing results
2. Check the API user role permissions to master_sheet.csv in Splunk - Lookup file is owned by my ID. So there should not be any permission issue.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust
Check search.log in Search job inspector for search SID.

Activity >> Jobs
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...