Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"outputlookup" vs "action.populate_lookup"?

Lowell
Super Champion
‎08-27-2010 02:04 PM

I'm trying to figure out some discrepancies between the outputlookup search command and the action.populate_lookup saved search configuration option.

I started with a saved search to populate a lookup file using outputlookup, in the form:

my_search_string | outputlookup my_lookup

Where "my_lookup" was a defined lookup in transforms.conf. Then I decided that a better way would be to use the "populate_lookup" option in savedsearches.conf, but I'm running into an error with this configuration:

[my_savedsearch]
action.populate_lookup = 1
action.populate_lookup.dest = my_lookup
search = my_search_string
...

I'm getting the following error in my splunkd log:

ERROR SearchScheduler - Error in 'SearchOperator:copyresults': The file destination is invalid. Splunk can only write '.csv' files to 'etc/system/lookups/' or 'etc/apps/<app-name>/lookups/'., search='copyresults dest="my_lookup" sid="scheduler__nobody__...."'

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 02:29 PM

action.populate_lookup uses an undocumented internal command called 'copyresults' instead of 'outputlookup'. It requires a path relative to $SPLUNK_HOME, e.g., "etc/apps/myapp/lookups/my_lookup.csv" as the "dest".

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-27-2010 02:29 PM

action.populate_lookup uses an undocumented internal command called 'copyresults' instead of 'outputlookup'. It requires a path relative to $SPLUNK_HOME, e.g., "etc/apps/myapp/lookups/my_lookup.csv" as the "dest".

Reply
Solved! Jump to solution

immortalraghava
Path Finder
‎03-14-2018 01:07 AM

What does action.lookup in savedsearches.conf do? Description reads similar to populate_lookup?

0 Karma
Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎08-27-2010 04:40 PM

We will likely fix it for 4.2. Having the user specify the full path is error prone. We will probably just have it match the semantics of outputlookup (easier a filename or stanza name)

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-27-2010 03:48 PM

Thanks. I think it would be helpful if the "dest" field would accept either form of input. That would certainly be more consistent with the "inputlookup" and "outputlookup" search commands. I submitted and ER.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...