All Apps and Add-ons

How to run custom python script from search app?



I would like to call directly from splunk search using | scorelookup ip 0 (also why must we add an argument after the ip?)

I think I should create commands.conf in etc/apps/search/local


0 Karma

Splunk Employee
Splunk Employee

Hi realsplunk,

i think you are asking that you want to call it from the search app. I just did a default installation and the lookup definition you found is set to global by default. So it should work in the search app - scripted lookup is called "threatscore" - not scorelookup. It's also not a search command - it's a scripted lookup so you need to add "lookup" in front of it.

correct use:
lookup threatscore clientip as %yourcustomfieldifnotclientip%

In the lookup you do not need to add another parameter (0). That's just in the config what's coming back to Splunk (IP+Score is sent back from the script into Splunk then).

Hope that helps you.

0 Karma


You're looking for a custom search command, it seems. The scope of implementing one can be large (or not so large), but you probably want to start here:

0 Karma