Splunk Search

AppInspect check_all_lookups_are_used too restrictive?

Graham_Hanningt
Builder

Except from an AppInspect report:

[ Failure Summary ]
Failures will block the Cloud Vetting. They must be fixed.
check_all_lookups_are_used
Lookup file my_trans.csv is not referenced in transforms.conf. File: default/transforms.conf

The report is correct: my_trans.csv (not its real name) is not referenced in transforms.conf.

However, my_trans.csv is referenced by a macro in the app. From the app's macros.conf:

[myapp_exclude_my_trans]
definition = NOT [|inputlookup my_trans.csv]

From the description of this check in the AppInspect docs:

Check that all files in the /lookups directory are referenced in transforms.conf.

Why must files in the /lookups directory be referenced in transforms.conf?

Do I really need to add:

[mylookuptable]
filename = my_trans.csv

just to satisfy AppInspect?

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Graham_Hannington

I think Yes, you should use lookup name instead of a file name in macros.conf.

transforms.conf

[mylookuptable]
filename = my_trans.csv

macros.conf

[myapp_exclude_my_trans]
definition = NOT [|inputlookup mylookuptable ]

Can you please try it?

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Graham_Hannington

I think Yes, you should use lookup name instead of a file name in macros.conf.

transforms.conf

[mylookuptable]
filename = my_trans.csv

macros.conf

[myapp_exclude_my_trans]
definition = NOT [|inputlookup mylookuptable ]

Can you please try it?

Graham_Hanningt
Builder

@kamlesh_vaghela ,

Thank you! Yes, I've tried it, and it works.

I had completely overlooked what you describe: that the inputlookup command can refer to a transforms.conf stanza name instead of the .csv file name. That explains a lot! In particular, as @nickhillscpl points out (thank you, too!) why AppInspect checks this. I "get it" now.

Thanks again to both of you for your advice, much appreciated. I'm now one step closer to that AppInspect badge.

0 Karma

nickhills
Ultra Champion

Great news!, I have added @kamlesh_vaghela's comment as an answer. Please accept it and upvote any posts that helped!

If my comment helps, please give it a thumbs up!
0 Karma

Graham_Hanningt
Builder

@kamlesh_vaghela ,

If you feel like converting your comment into an answer, I'll accept it.

0 Karma

nickhills
Ultra Champion

building on @kamlesh_vaghela's answer. Best practice is not to use lookup csv files directly.
The reason for this is that you can not define some of the lookup options such as match results or wildcard matching etc without using a definition.
It also allows for future expansion to move to KV store without having to reconstruct your knowledge objects.
This is why the process encourages you to use a lookup definition, and use that definition name in your searches and macros in place of the csv filename.

If my comment helps, please give it a thumbs up!

bowesmana
SplunkTrust
SplunkTrust

@nickhills Just came across your comment, which made me chuckle, that the appinspect process encourages us to use definitions - while I agree with the principle of using definitions, I would say that a hard failure is not exactly an encouragement - it's a pointblank computer say NO 😏

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...