Splunk Search

difficulty in updating a lookup file via rest

dominiquevocat
SplunkTrust
SplunkTrust

i have a script that generates a csv under /var/run/splunk

I would like to update my lookup file

I read the docs and it says to post a request like this:

response = requests.post('https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv', data=payload, verify=False, headers=headers)

where headers are like this:

headers={'Authorization': 'Splunk xXxXxXXXxXXXy','Content-Type': 'application/json'}

and the data is like this:

{'eai:data': '/opt/splunk/var/run/splunk/cve.csv'}

i can read that endpoint like (excerpt):

  <entry>
    <title>cve.csv</title>
    <id>https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv</id>
    <updated>2018-02-02T15:57:56+01:00</updated>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="alternate"/>
    <author>
      <name>nobody</name>
    </author>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="list"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/_reload" rel="_reload"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="edit"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv" rel="remove"/>
    <link href="/servicesNS/nobody/SA-cve/data/lookup-table-files/cve.csv/move" rel="move"/>

and it looks ok but post failes with

>>> print response
<Response [500]>
>>> print response.text
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">
 In handler 'lookup-table-files': Data could not be written: /nobody/SA-cve/lookups/cve.csv: /opt/splunk/var/run/splunk/cve.cvs</msg>
  </messages>
</response>
0 Karma

micahkemp
Champion

If you're creating a new lookup file, you need to POST to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files and include name in your data. You POST to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files/<name>; if you're replacing an existing lookup file.

Try POSTing to https://localhost:8089/servicesNS/nobody/SA-cve/data/lookup-table-files and see if that helps.

0 Karma

micahkemp
Champion

The response you included in your question shows cve.cvs for the filename, but your eai:data snippet suggests you mean cve.csv. Is there any chance you have a typo in your script somewhere?

0 Karma

dominiquevocat
SplunkTrust
SplunkTrust

hi, must be a typo when doing the ticket

I just tried again just in case 🙂 hope springs eternal but it was a typo

The lookup file is shared globaly
/opt/splunk/etc/apps/SA-cve/lookups/cve.csv | No owner | SA-cve | Global

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...