Splunk Search

Why is external_lookup.py not working?

a212830
Champion

Hi,

I have a search that suddenly stopped working. It does an dns lookup using a lookup file. The errors are below. I tested the dns lookup directly and it worked, but for some reason this search stopped working. The lookup input exists, and the permissions are correct and it has data.

The search:

index=network90 sourcetype=dns_syslog 
    [| inputlookup snhostname.csv 
    | fields syshostname ] 
| lookup dnslookup clientip as clientip OUTPUT clienthost as clienthostname 
| rex field=syshostname "(?<f1>[^.]*)" 
| rex field=clienthostname "(?<f2>[^.]*)" 
| eval shostname= upper(f1) 
| eval chostname= upper(f2) 
| convert timeformat="%Y-%m-%d" ctime(_time) AS ctime 
| stats count(chostname) by shostname chostname clientip ctime

Here are the errors:

22 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
The limit has been reached for log messages in info.csv. 1 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
[l16oma2] Could not find 'external_lookup.py'. It is required for lookup 'dnslookup'.
[l16oma2] Streamed search execute failed because: Error in 'lookup' command: The lookup table 'dnslookup' does not exist or is not available.
[l18oma2] Could not find 'external_lookup.py'. It is required for lookup 'dnslookup'.
[l18oma2] Streamed search execute failed because: Error in 'lookup' command: The lookup table 'dnslookup' does not exist or is not available.
[l39oma1] Could not find 'external_lookup.py'. It is required for lookup 'dnslookup'.
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Errors show the lookup are "missing". Since you said it worked when you ran it manually, I'm guessing it's a permissions issue.

The lookup likely lives in an app - the same app that you ran the search manually from.

The savedsearch probably lives in another app, and from that app-context, it doesn't have permission to see the lookup.

Someone probably changed the app or lookup's permissions from global recently...

0 Karma

a212830
Champion

That was my initial thought... but the lookup (snhostname.csv) appears in all apps and is read/write to everyone.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hmmm. What about external_lookup.py? That's what the messages are stating is missing, not the csv file.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...