I've made an external lookup python script that calculates the entropy of a field's value using the first block of code from this answer: https://answers.splunk.com/answers/13636/calculate-entropy-just-entropy-not-change-in-entropy-like-a...
That works. Now I'm implementing it in transforms as seen here: http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Configureexternallookups
Or more specifically:
[<lookup_name>]: The name of the lookup.
external_cmd = <string>: The command and arguments that the Splunk platform should invoke to perform the lookup. The Splunk platform expects the command to be the name of the script, such as external_lookup.py.
external_type = [python|executable|kvstore|geo]: The type of script being used for the lookup. Can be python, for a Python script, or executable, for a binary executable. The kvstore and geo values are reserved for KV store lookups and geospatial lookups, respectively.
fields_list = <string>: is a list of all fields that are supported by the external lookup. The fields must be delimited by a comma followed by a space.
Question:
See fields_list above. I don't want to limit this lookup to any fields right now (this will not be an automatic lookup). Can I simply not add that line so that the external lookup command will work on any field I send to it?
Since it doesn't look like you can get around this, I ended up making a custom command instead: https://answers.splunk.com/answers/398976/can-someone-give-me-an-incredibly-simple-custom-st.html
Since it doesn't look like you can get around this, I ended up making a custom command instead: https://answers.splunk.com/answers/398976/can-someone-give-me-an-incredibly-simple-custom-st.html