- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Re: Using inputlookup with external_cmd
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
Is it possible to use inputlookup to pull a list of information from a scripted lookup?
The documentation for inputlookup seems to suggest this is possible:
The lookup table can be configured for any lookup type (CSV, external, or KV store)._
But the documentation for transforms.conf where the scripted input is defined states
Your external lookup script must take in a partially empty CSV file and output a filled-in CSV file
Which implies that it can't be used with a generating command like inputlookup.
I'm trying to pull in a CSV from a threat intel feed but in a way that would allow me to do so using a scheduled search rather than a scripted input or modular input. Any thoughts on how best to do this if using a scripted input with inputlook isn't possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When running
| inputlookup testlookup
(which is an external lookup) I get the error message:
The lookup table 'testlookup' requires a .csv or KV store lookup definition
... so I assume this isn't an intended use case.
Quite a bummer because (as per some of my earlier posts) custom search commands kind of suck.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you really want to do it in SPL then I would suggest a custom search command. I don't think you are going to get inputlookup to work since is likely requiring arguments to lookup on.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Writeasearchcommand
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I converted my script to work as a search command not long after posting the question. I agree that it looks like a search command or modular input are the way to go, but I believe that Splunk should update their documentation for inputlookup if it's not possible to use scripted lookups with this command (as the documentation currently states).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've send a comment on the documentation page for inputlookup to query whether the statement that inputlookup will work with scripted lookups is correct or not. I suspect it is incorrect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup the docs feedback is the best way to get Splunk to update the docs. The docs team watches it carefully.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search logs show:
03-08-2017 10:20:03.398 WARN SearchOperator:inputcsv - sid:1488932400.14 The lookup table 'testlookup' is invalid.
So it looks like, possibly, it's trying to load my scripted lookup using inputcsv?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
