Splunk Search
Highlighted

Do I have to explicitly define each field that can be used by an external lookup in transforms.conf?

Builder

I've made an external lookup python script that calculates the entropy of a field's value using the first block of code from this answer: https://answers.splunk.com/answers/13636/calculate-entropy-just-entropy-not-change-in-entropy-like-a...

That works. Now I'm implementing it in transforms as seen here: http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/Configureexternallookups
Or more specifically:

[<lookup_name>]: The name of the lookup.

external_cmd = <string>: The command and arguments that the Splunk platform should invoke to perform the lookup. The Splunk platform expects the command to be the name of the script, such as external_lookup.py.

external_type = [python|executable|kvstore|geo]: The type of script being used for the lookup. Can be python, for a Python script, or executable, for a binary executable. The kvstore and geo values are reserved for KV store lookups and geospatial lookups, respectively.

fields_list = <string>: is a list of all fields that are supported by the external lookup. The fields must be delimited by a comma followed by a space.

Question:
See fields_list above. I don't want to limit this lookup to any fields right now (this will not be an automatic lookup). Can I simply not add that line so that the external lookup command will work on any field I send to it?

0 Karma
Highlighted

Re: Do I have to explicitly define each field that can be used by an external lookup in transforms.conf?

Builder

Since it doesn't look like you can get around this, I ended up making a custom command instead: https://answers.splunk.com/answers/398976/can-someone-give-me-an-incredibly-simple-custom-st.html

View solution in original post

0 Karma