Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

external lookup script on search head

sf_user_199
Path Finder
‎05-23-2013 04:29 PM

I've written an external lookup script that makes a rest call to an API & returns data. The API destination requires going through a firewall, so we are only allowing our search head to make the call.

When I use the lookup using tstats on the search head, the lookup executes very quickly. When I use it against searches that pull data from our indexers, the indexers appear to be running the script. This fails, however, due to the firewall not being open for the script to run.

I have local=true set on the lookup command, and also used localop

Search:
| head 1 | localop | lookup local=true XXXX fieldA | table fieldA,lookupvalue

From the search inspector:
This search has completed and has returned 1 result by scanning 671 event in 1,141.566 seconds.

Error message in the search inspector for every indexer:
Script for lookup table 'XXXX' returned error code 1. Results may be incorrect.

Any suggestions? My next step is to block replication of this to indexers.

Reply
1 Solution
Solved! Jump to solution
Solution

sf_user_199
Path Finder
‎05-24-2013 01:08 PM

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sf_user_199
Path Finder
‎05-24-2013 01:08 PM

Figured it out.

Had to put the lookup into it's own app, and put a distsearch.conf file into default/ with a blacklist that prevented the entire app from being replicated.

[replicationBlacklist]
staylocal = apps/...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...