Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

outputlookup command not found

stehlampe69
Explorer
‎01-28-2013 07:44 AM

Hello,

eventually I'm missing something, but I've searched quite a lot.
My Problem is that I cannot use outputlookup because I get the following error:
bash: outputlookup: Command not found.
I've tried to get a watchlist with the following command:
"getwatchlist http://amada.abuse.ch/blocklist.php?download=ipblocklist delimiter=# categoryCol=2 isbad=true | outputlookup amada.csv"
The getwatchlist doesn't work like this, but with a workaround (python getwatchlist.py ...)I get the data. But the real problem is that the outputlookup isn't recognized.
If I type it in the search filed in the Splunk Web Frontend it works, but not in the console where I have to run the other command (getwatchlist).
Am I missing something to get this working on console? Any help would be nice.

Thanks in advance

Peter

Tags (1)
0 Karma
Reply

stehlampe69
Explorer
‎02-01-2013 12:39 AM

Hello again,

first: Thank you dshpritz, you've helped me to figure out what I'm missing.
second: For all who have the same HowTo and come to this post because the command didn't work.
The Command getwatchlist http://amada.abuse.ch/blocklist.php?download=ipblocklist delimiter=# categoryCol=2 isbad=true isn't getting something back, because the URI has canged. The new URI is http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist. There is also a DNS Version of the list. Have a look: https://zeustracker.abuse.ch/blocklist.php

Happy splunking 🙂

0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎01-28-2013 08:48 AM

Hey Peter,

From what you have said ("bash: outputlookup: Command not found."), it sounds like you are running getwatchlist from the shell. Getwatchlist will do this, but Splunk commands will not work. The command should be run from the Splunk web interface, via the search bar.

Here are some links that might help:

http://blogs.splunk.com/2011/08/16/getwatchlist-getting-watchlists-into-splunk-quickly-and-easily-wi...

and

http://blogs.splunk.com/2011/09/08/anonymous-proxies/

HTH,

Dave

Reply

stehlampe69
Explorer
‎02-01-2013 12:39 AM

Hello again,

first: Thank you dshpritz, you've helped me to figure out what I'm missing.
second: For all who have the same HowTo and come to this post because the command didn't work.
The Command getwatchlist http://amada.abuse.ch/blocklist.php?download=ipblocklist delimiter=# categoryCol=2 isbad=true isn't getting something back, because the URI has canged. The new URI is http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist. There is also a DNS Version of the list. Have a look: https://zeustracker.abuse.ch/blocklist.php

Happy splunking 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...