All Apps and Add-ons

How to run custom python script from search app?

splunkreal
Motivator

Hello,

I would like to call scorelookup.py directly from splunk search using | scorelookup ip 0 (also why must we add an argument after the ip?)

I think I should create commands.conf in etc/apps/search/local

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma

mmaier_splunk
Splunk Employee
Splunk Employee

Hi realsplunk,

i think you are asking that you want to call it from the search app. I just did a default installation and the lookup definition you found is set to global by default. So it should work in the search app - scripted lookup is called "threatscore" - not scorelookup. It's also not a search command - it's a scripted lookup so you need to add "lookup" in front of it.

correct use:
lookup threatscore clientip as %yourcustomfieldifnotclientip%

In the lookup you do not need to add another parameter (0). That's just in the config what's coming back to Splunk (IP+Score is sent back from the script into Splunk then).

Hope that helps you.
Best

0 Karma

micahkemp
Champion

You're looking for a custom search command, it seems. The scope of implementing one can be large (or not so large), but you probably want to start here:

http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...