I'm trying to figure out some discrepancies between the
outputlookup search command and the
action.populate_lookup saved search configuration option.
I started with a saved search to populate a lookup file using
outputlookup, in the form:
my_search_string | outputlookup my_lookup
Where "my_lookup" was a defined lookup in
transforms.conf. Then I decided that a better way would be to use the "populate_lookup" option in
savedsearches.conf, but I'm running into an error with this configuration:
[my_savedsearch] action.populate_lookup = 1 action.populate_lookup.dest = my_lookup search = my_search_string ...
I'm getting the following error in my
ERROR SearchScheduler - Error in 'SearchOperator:copyresults': The file destination is invalid. Splunk can only write '.csv' files to 'etc/system/lookups/' or 'etc/apps/<app-name>/lookups/'., search='copyresults dest="my_lookup" sid="scheduler__nobody__...."'
action.populate_lookup uses an undocumented internal command called 'copyresults' instead of 'outputlookup'. It requires a path relative to $SPLUNK_HOME, e.g., "etc/apps/myapp/lookups/my_lookup.csv" as the "dest".
Thanks. I think it would be helpful if the "dest" field would accept either form of input. That would certainly be more consistent with the "inputlookup" and "outputlookup" search commands. I submitted and ER.
We will likely fix it for 4.2. Having the user specify the full path is error prone. We will probably just have it match the semantics of outputlookup (easier a filename or stanza name)