Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is lookup command not working in Splunk REST API?

georgear7
Communicator
‎01-23-2023 08:57 PM

I'm consuming data from Splunk REST API endpoints for other purposes. However, it is throwing this error because I used the "lookup" command in the query. Could anyone assist me in resolving this issue?

If the "lookup" command is not used, the query works properly.


Error:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="FATAL">Error in 'lookup' command: Could not construct lookup 'master_sheet.csv, host, as, host, OUTPUT, LOB, Region, Application, Environment'. See search.log for more details.</msg>
</messages>
</response>

 

Query:
curl -k -u user:pass https://localhost:8089/services/search/jobs --data-urlencode search='search index=foo sourcetype=abc source=*fs.log | rex "(?<Date>.*)\|(?<Mounted>.*)\|(?<Size>.*)\|(?<Used>.*)\|(?<Avail>.*)\|(?<Used_PCT>.*)\|(?<Filesystem>.*)" | eval Used_PCT=replace(Used_PCT,"%","") | search Filesystem IN (/apps, /logs) | stats latest(*) as * by host,Filesystem | where Used_PCT>=80 | sort -Used_PCT | rename Used_PCT as "Use%" | table host,Filesystem,Size,Used,Avail,Use% | lookup master_sheet.csv host as host OUTPUT LOB,Region,Application,Environment | table host,LOB,Region,Application,Environment,Filesystem,Size,Used,Avail,"Use%"' -d id=mysearch_1234567

curl -u user:pass -k https://localhost:8089/services/search/jobs/mysearch_1234567/results --get -d output_mode=csv

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎01-23-2023 11:05 PM

Hi @georgear7,

1. Check if you can run the query in the search app
2. Check the API user role permissions to master_sheet.csv in Splunk

0 Karma
Reply

georgear7
Communicator
‎01-29-2023 09:45 PM

Hi @manjunathmeti ,

1. Check if you can run the query in the search app - Yes, it's runing fine & producing results
2. Check the API user role permissions to master_sheet.csv in Splunk - Lookup file is owned by my ID. So there should not be any permission issue.

0 Karma
Reply

manjunathmeti
SplunkTrust
SplunkTrust
‎01-29-2023 10:23 PM 
Check search.log in Search job inspector for search SID.

Activity >> Jobs
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...