Splunk Search

external lookup script on search head

sf_user_199
Path Finder

I've written an external lookup script that makes a rest call to an API & returns data. The API destination requires going through a firewall, so we are only allowing our search head to make the call.

When I use the lookup using tstats on the search head, the lookup executes very quickly. When I use it against searches that pull data from our indexers, the indexers appear to be running the script. This fails, however, due to the firewall not being open for the script to run.

I have local=true set on the lookup command, and also used localop

Search:
| head 1 | localop | lookup local=true XXXX fieldA | table fieldA,lookupvalue

From the search inspector:
This search has completed and has returned 1 result by scanning 671 event in 1,141.566 seconds.

Error message in the search inspector for every indexer:
Script for lookup table 'XXXX' returned error code 1. Results may be incorrect.

Any suggestions? My next step is to block replication of this to indexers.

1 Solution

sf_user_199
Path Finder

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

View solution in original post

0 Karma

sf_user_199
Path Finder

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...