All Apps and Add-ons

Splunk external lookup script within app not running

ShawnClark
Explorer

Based on the documentation:

The script must be located in one of two places:
$SPLUNK_HOME/etc/searchscripts
$SPLUNK_HOME/etc/apps/<app_name>/bin
See "More about the external lookup script" for more information about how such scripts work.

When I have the script within the apps/<app_name>/bin directory it is never picked up. When I move it to the searchscripts directory it runs just fine. Is the ability to have external lookup scripts within an app not possible? (Splunk 6.3)

Here is my transforms.conf:

[testLookup]
external_cmd=test_lookup.py testField1 testField2
external_type=python
fields_list=testField1, testField2

goelli
Communicator

I had the same issue on Splunk 6.4.4 and had to make sure, that the metadata/default.meta included not only the permission for the lookup. I simply added:

[]
access = read : [ * ], write : [ * ]
export = system

supersleepwalke
Communicator

I have the same problem.

Here's the very basic lookup script I've created (external_lookup.py)

import logging

logging.basicConfig(filename='/tmp/splunk-external_lookup-hello.log',level=logging.DEBUG)
logging.debug("foo")

If I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin, I get the error

Could not find 'external_lookup.py'. It is required for lookup 'external_lookup'.

But if I put it in $SPLUNK_HOME/etc/apps/<app_name>/bin it works fine.

0 Karma

muebel
SplunkTrust
SplunkTrust

I don't know for sure if this matters, but is your transforms in the same app you are putting the script in?

0 Karma

ShawnClark
Explorer

Yes my transforms.conf is in the app.

0 Karma

scruse
Path Finder

are you on NT or *nix, and what are the permissions on the script?

0 Karma

ShawnClark
Explorer

*nix and I have given execute permissions to the user (splunk) and all just to make sure it can get access to it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...