Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Lookup in Python SDK

MK3
Explorer
‎08-22-2024 08:03 AM

Hello,

I have a query -

searchquery_oneshot = "search (index=__* ... events{}.name=ResourceCreated) | dedup \"events{}.tags.A\" | spath \"events{}.tags.A\" || lookup Map.csv \"B\" OUTPUT \"D\" | table ... | collect ...

I ran this using Python SDK in VSCode as -

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)
conn.cursor().execute(sql, val)

I ran the above using psycopg2 and got this error-
FATAL: Error in 'lookup' command: Could not construct lookup 'Map.csv, B, OUTPUT, D'. See search.log for more details.

The above query works when run inside splunk enterprise i.e. map.csv is looked-up and result fetched correctly.
How do I locate my search.log? It is  splunkhome/var/lib/dispatch/run I assume. What is the error above?

Thanks

Labels (2)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎08-24-2024 10:14 PM

@MK3- I believe its an permission and/or app-context issue.

When you create service object,

  • Provide the same username you use to login on Splunk UI
  • Provide the same App name which you use on UI and search works fine
service = client.connect(host="<ip/hostname>", username="<username>", password="<user-passwd", app="<same app as you use on UI>")

 

I hope this helps!!!!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2024 12:39 AM

Have you tried using a kv store instead of csv as I know that csv lookup don't work for python custom commands?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...