- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Federated Search -How do I create lookup file with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Federated Search -How do I create lookup file with results?
We are working with several remote datasets that are combined to give our end user a specific result.
Federated Search gives us an LDAP dn, which we are trying to use to pull enhancing information from another remote source via a REST API. The following search works:
index=federated:remote_dataset userid="cn=" | \
eval dn=lower(userid) | \
dedup dn | \
table dn
The idea is to use a scheduled search to populate a csv with a list of DNs at the top of every hour, then use a cron job to spawn a python script which generates a new CSV that contains the DN and the enhancing data from the REST API source. Our python script is working, however when we add "|outputlookup dn.csv append=true" to the otherwise functional SPL, we get nothing.
This fails:
index=federated:remote_dataset userid="cn=" | \
eval dn=lower(userid) | \
dedup dn | \
table dn | \
outputlookup dn.csv append=true
Is this a limitation of Federated Search?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see any error when running the search? (in Job dropdown you should see some message).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Similar issue. There are no error logs per say. The search log shows the the output appears to be happening on the remote SH.
Results written to file '/opt/splunk/etc/apps/search/lookups/mylookup.csv' on serverName=',<<remoteServerName>>
In other words, if I login to my local search head and run this and get an output of 100 entries:
| federated from:my report | outputlookup mylookup.csvThen I run this (Again on the local search head), it will be empty:
| inputlookup mylookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use '| append [ | noop ]' as a workaround:
| from federated <>
| append [ | noop ]
| outputlookup <>.csv
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
