I'm trying to figure out some discrepancies between the outputlookup
search command and the action.populate_lookup
saved search configuration option.
I started with a saved search to populate a lookup file using outputlookup
, in the form:
my_search_string | outputlookup my_lookup
Where "my_lookup" was a defined lookup in transforms.conf
. Then I decided that a better way would be to use the "populate_lookup" option in savedsearches.conf
, but I'm running into an error with this configuration:
[my_savedsearch]
action.populate_lookup = 1
action.populate_lookup.dest = my_lookup
search = my_search_string
...
I'm getting the following error in my splunkd
log:
ERROR SearchScheduler - Error in 'SearchOperator:copyresults': The file destination is invalid. Splunk can only write '.csv' files to 'etc/system/lookups/' or 'etc/apps/<app-name>/lookups/'., search='copyresults dest="my_lookup" sid="scheduler__nobody__...."'
action.populate_lookup uses an undocumented internal command called 'copyresults' instead of 'outputlookup'. It requires a path relative to $SPLUNK_HOME, e.g., "etc/apps/myapp/lookups/my_lookup.csv" as the "dest".
action.populate_lookup uses an undocumented internal command called 'copyresults' instead of 'outputlookup'. It requires a path relative to $SPLUNK_HOME, e.g., "etc/apps/myapp/lookups/my_lookup.csv" as the "dest".
What does action.lookup
in savedsearches.conf do? Description reads similar to populate_lookup
?
We will likely fix it for 4.2. Having the user specify the full path is error prone. We will probably just have it match the semantics of outputlookup (easier a filename or stanza name)
Thanks. I think it would be helpful if the "dest" field would accept either form of input. That would certainly be more consistent with the "inputlookup" and "outputlookup" search commands. I submitted and ER.