Splunk Search

external lookup script on search head

sf_user_199
Path Finder

I've written an external lookup script that makes a rest call to an API & returns data. The API destination requires going through a firewall, so we are only allowing our search head to make the call.

When I use the lookup using tstats on the search head, the lookup executes very quickly. When I use it against searches that pull data from our indexers, the indexers appear to be running the script. This fails, however, due to the firewall not being open for the script to run.

I have local=true set on the lookup command, and also used localop

Search:
| head 1 | localop | lookup local=true XXXX fieldA | table fieldA,lookupvalue

From the search inspector:
This search has completed and has returned 1 result by scanning 671 event in 1,141.566 seconds.

Error message in the search inspector for every indexer:
Script for lookup table 'XXXX' returned error code 1. Results may be incorrect.

Any suggestions? My next step is to block replication of this to indexers.

1 Solution

sf_user_199
Path Finder

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

View solution in original post

0 Karma

sf_user_199
Path Finder

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...