Using Lookup in Python SDK

MK3 · ‎08-22-2024

Hello,

I have a query -

searchquery_oneshot = "search (index=__* ... events{}.name=ResourceCreated) | dedup \"events{}.tags.A\" | spath \"events{}.tags.A\" || lookup Map.csv \"B\" OUTPUT \"D\" | table ... | collect ...

I ran this using Python SDK in VSCode as -

oneshotsearch_results = service.jobs.oneshot(searchquery_oneshot, **kwargs_oneshot)
conn.cursor().execute(sql, val)

I ran the above using psycopg2 and got this error-
FATAL: Error in 'lookup' command: Could not construct lookup 'Map.csv, B, OUTPUT, D'. See search.log for more details.

The above query works when run inside splunk enterprise i.e. map.csv is looked-up and result fetched correctly.
How do I locate my search.log? It is splunkhome/var/lib/dispatch/run I assume. What is the error above?

Thanks

VatsalJagani · ‎08-24-2024

@MK3- I believe its an permission and/or app-context issue.

When you create service object,

Provide the same username you use to login on Splunk UI
Provide the same App name which you use on UI and search works fine

service = client.connect(host="<ip/hostname>", username="<username>", password="<user-passwd", app="<same app as you use on UI>")

I hope this helps!!!!

ITWhisperer · ‎08-23-2024

Have you tried using a kv store instead of csv as I know that csv lookup don't work for python custom commands?

Using Lookup in Python SDK

python

SDK

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?