All Apps and Add-ons

Why am I getting "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" after upgrading the IP Reputation App?

Splunk Employee
Splunk Employee

I just recently upgraded the wonderful IP Reputation app, but now I am running into errors when I try and perform threatscore lookups.

Splunk tells me:

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

I ran nslookup with my http:BL code and I am getting a valid reply.

When I try and run the script from the Splunk server, I get the following errors:

: File name too long
/opt/splunk/etc/apps/ipreputation/bin/ line 31: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/ line 32: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/ line 33: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/ line 34: from: command not found
/opt/splunk/etc/apps/ipreputation/bin/ line 39: key: command not found
/opt/splunk/etc/apps/ipreputation/bin/ line 44: debug: command not found
/opt/splunk/etc/apps/ipreputation/bin/ line 46: syntax error near unexpected token `('
/opt/splunk/etc/apps/ipreputation/bin/ line 46: `    f = open('score_lookup_log.txt', 'a+')'

Any help would be appreciated.

0 Karma


please check if you might have a mismatch of the transforms.conf and lookup script. maybe you have a copy of the transforms.conf in your local folder in the app directory. from version 1.0 to version 1.1 i added new available fields. so ensure that for 1.1 you have the following config:

transforms.conf needs to have:

[threatscore] external_cmd = clientip threatscore
fields_list = clientip threatscore
days_since_last_activity visitor_type

check that this content is in $splunkhome/etc/apps/ipreputation/default as well as in local in case you modified there in the config something.

the lookup script needs to be version 1.1. check that in the bin/ directory of the app the header in the shows:

Version: 1.1

because that version of the python script gives you back additional fields into splunk:

out = "%s,%s,%s,%s" % (ip_address, threat_score, days_since_last_activity, visitor_type)

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...