Solved: external lookup script on search head

sf_user_199 · ‎05-23-2013

I've written an external lookup script that makes a rest call to an API & returns data. The API destination requires going through a firewall, so we are only allowing our search head to make the call.

When I use the lookup using tstats on the search head, the lookup executes very quickly. When I use it against searches that pull data from our indexers, the indexers appear to be running the script. This fails, however, due to the firewall not being open for the script to run.

I have local=true set on the lookup command, and also used localop

Search:
| head 1 | localop | lookup local=true XXXX fieldA | table fieldA,lookupvalue

From the search inspector:
This search has completed and has returned 1 result by scanning 671 event in 1,141.566 seconds.

Error message in the search inspector for every indexer:
Script for lookup table 'XXXX' returned error code 1. Results may be incorrect.

Any suggestions? My next step is to block replication of this to indexers.

sf_user_199 · ‎05-24-2013

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

View solution in original post

sf_user_199 · ‎05-24-2013

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

external lookup script on search head

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio