Splunk Search

External lookup definition doesn't run when

aurelien_delama
Engager

Hello,

I'm trying to findout how external lookup definition work. I've a python script which tell me if the date and hour provide in input is a business hour or not.

My script is based on the dns lookup example (external_lookup.py) script provided by Splunk. Here the output :

[splunk@dummy bin]# /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/dummy/bin/is_hno.py date_year date_month date_mday date_hour is_hno < test.csv
date_year,date_month,date_mday,date_hour,is_hno
2013,april,01,09,True
2013,april,02,02,True
2013,april,02,09,False

My transforms.conf file :

[hnocalc]
default_match = 0
external_cmd = $SPLUNK_HOME/etc/apps/dummy/bin/is_hno.py date_year date_month date_mday date_hour is_hno
fields_list = date_year,date_month,date_mday,date_hour,is_hno
max_matches = 1
min_matches = 1

My props.conf file :

[dummy]
LOOKUP-hnocalc = hnocalc date_hour date_mday date_month date_year OUTPUTNEW is_hno

When trying to use my new lookup definition :
* | lookup hnocalc date_year, date_month, date_mday, date_hour OUTPUTNEW is_hno

Splunk doesn't found my lookup definition ; error message :
Error in 'lookup' command: The lookup table 'hnocalc' does not exist.

And python logs file doesn't tell me anything about my script. It seems Splunk never run my script. I've checked also my rights but since I've made entry it should be fine.

[root@dummy bin]# ls -al | grep is_hno.py
-rwxr-xr-x 1 splunk splunk 6924 mai 7 13:12 is_hno.py

And I'm stuck at this step. I've already tested an external csv file which work well but as we have constraints in my country ; using scripted file is more appropriate.

Tell me if you have any idea about why splunk doesn't run my script.

Regards,

Aurelien

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does splunk have access to run the python script? Do you need to chown or chmod?

Have you tried placing the script here?

/etc/searchscripts

external_cmd = is_hno.py date_year date_month date_mday date_hour is_hno

Also, I'm ignorant to the external_cmd lookups. Does your external_cmd assume is_hno is known by splunk but it isnt? It seems to me you should be doing it this way

external_cmd = is_hno.py date_year date_month date_mday date_hour

0 Karma

aurelien_delama
Engager

Yes, Splunk is able to run the script (cf my first post). I've move the script into $SPLUNK_HOME/etc/searchscripts and it's not working either. I've try to use absolute path but with the same result. I've also removed the is_hno column but I get the same error : Error in 'lookup' command: The lookup table 'hnocalc' does not exist.

0 Karma

aurelien_delama
Engager

I'm still stuck on this case. I've look forward other case but it's seems I'm the first do get this kind of problem. As Ayn say it may refer to the privileges but I'm on the dummy app when trying to use the lookup and I've the privileges required to run it. I'll make a case support. I keep you inform ! Thanks!

0 Karma

aurelien_delama
Engager

Yes, I've checked the scope with my credential. I've used this cmd and my lookup is correctly listed under dummy apps.

`[root@dummy local]# /opt/splunk/bin/splunk cmd btool transforms list --user= --app=dummy --debug
....
dummy [hnocalc]
dummy default_match = 0
dummy external_cmd = $SPLUNK_HOME/etc/apps/dummy/bin/is_hno.py date_year date_month date_mday date_hour is_hno
dummy fields_list = date_year,date_month,date_mday,date_hour,is_hno
dummy max_matches = 1
dummy min_matches = 1
....

And when searching, I'm on the dummy app.

0 Karma

Ayn
Legend

Did you have a look at the lookup's scope? Maybe it's only accessible within the "dummy" app and you're trying to access it from the "search" app or similar?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...