Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is lookup command not working in Splunk REST API?

georgear7
Communicator
‎01-23-2023 08:57 PM

I'm consuming data from Splunk REST API endpoints for other purposes. However, it is throwing this error because I used the "lookup" command in the query. Could anyone assist me in resolving this issue?

If the "lookup" command is not used, the query works properly.


Error:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="FATAL">Error in 'lookup' command: Could not construct lookup 'master_sheet.csv, host, as, host, OUTPUT, LOB, Region, Application, Environment'. See search.log for more details.</msg>
</messages>
</response>

 

Query:
curl -k -u user:pass https://localhost:8089/services/search/jobs --data-urlencode search='search index=foo sourcetype=abc source=*fs.log | rex "(?<Date>.*)\|(?<Mounted>.*)\|(?<Size>.*)\|(?<Used>.*)\|(?<Avail>.*)\|(?<Used_PCT>.*)\|(?<Filesystem>.*)" | eval Used_PCT=replace(Used_PCT,"%","") | search Filesystem IN (/apps, /logs) | stats latest(*) as * by host,Filesystem | where Used_PCT>=80 | sort -Used_PCT | rename Used_PCT as "Use%" | table host,Filesystem,Size,Used,Avail,Use% | lookup master_sheet.csv host as host OUTPUT LOB,Region,Application,Environment | table host,LOB,Region,Application,Environment,Filesystem,Size,Used,Avail,"Use%"' -d id=mysearch_1234567

curl -u user:pass -k https://localhost:8089/services/search/jobs/mysearch_1234567/results --get -d output_mode=csv

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

manjunathmeti
Champion
‎01-23-2023 11:05 PM

Hi @georgear7,

1. Check if you can run the query in the search app
2. Check the API user role permissions to master_sheet.csv in Splunk

0 Karma
Reply

georgear7
Communicator
‎01-29-2023 09:45 PM

Hi @manjunathmeti ,

1. Check if you can run the query in the search app - Yes, it's runing fine & producing results
2. Check the API user role permissions to master_sheet.csv in Splunk - Lookup file is owned by my ID. So there should not be any permission issue.

0 Karma
Reply

Perichila
New Member
‎06-19-2023 03:32 AM

Hello @georgear7 ,

I have the same problem, i am unable to run queries with lookups in Splunk with python.

Have you fix that problem?

Thanks 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2023 01:49 PM

Hi

have you try /servicesNS/ instead of /services/ ? Like this

curl -ku $PASS https://localhost:8089/servicesNS/nobody/search/search/jobs --data-urlencode ....

r. Ismo

0 Karma
Reply

manjunathmeti
Champion
‎01-29-2023 10:23 PM 
Check search.log in Search job inspector for search SID.

Activity >> Jobs
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...