i have a script that generates a csv under /var/run/splunk
I would like to update my lookup file
I read the docs and it says to post a request like this:
response = requests.post('https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv', data=payload, verify=False, headers=headers)
where headers are like this:
headers={'Authorization': 'Splunk xXxXxXXXxXXXy','Content-Type': 'application/json'}
and the data is like this:
{'eai:data': '/opt/splunk/var/run/splunk/cve.csv'}
i can read that endpoint like (excerpt):
<entry>
<title>cve.csv</title>
<id>https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv</id>
<updated>2018-02-02T15:57:56+01:00</updated>
<link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="list"/>
<link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="edit"/>
<link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="remove"/>
<link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/move" rel="move"/>
and it looks ok but post failes with
>>> print response
<Response [500]>
>>> print response.text
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">
In handler 'lookup-table-files': Data could not be written: /nobody/SA-cve/lookups/cve.csv: /opt/splunk/var/run/splunk/cve.cvs</msg>
</messages>
</response>
If you're creating a new lookup file, you need to POST to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files
and include name
in your data. You POST to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/<name>;
if you're replacing an existing lookup file.
Try POSTing to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files
and see if that helps.
The response you included in your question shows cve.cvs
for the filename, but your eai:data
snippet suggests you mean cve.csv
. Is there any chance you have a typo in your script somewhere?
hi, must be a typo when doing the ticket
I just tried again just in case 🙂 hope springs eternal but it was a typo
The lookup file is shared globaly
/opt/splunk/etc/apps/SA-cve/lookups/cve.csv | No owner | SA-cve | Global