Splunk Search

External Lookup script Never works

bansi
Path Finder

From the url http://blogs.splunk.com/2009/09/14/enriching-data-with-db-lookups-part-2/

i read the following excerpt

“The Python program gets its city field input via standard CSV input from Splunk, calls SQL to find the corresponding country, and produces the aggregate CSV output that contains the city with its correlated country”

On further analyzing this statement I infer “Splunk Web interface Serializes input to Stdin and the Python Script using a CSV reader object reads the input from Stdin”

Hence the presence of following code snippet in Python external lookup script r = csv.reader(sys.stdin)

Having said that the value of variable “r” is empty and the lookup script does nothing

I arrived at this statement by printing debugging statements to log file

Is there anyone who can help with this?

0 Karma

Matthias_BY
Communicator

Hi,

make sure you have imported the csv library:

import csv #for splunk batch input/output

additional to this you need to add a loop to read each line and enrich each line and give it back into std output. here is a sample which reads the client ip, executes the method scorelookup and brings the values back.

br
matthias

def main():
    #print 'starte main'

    if len(sys.argv) != 3:
        print "Usage: python [ip field] [threatscore]"
        sys.exit(0)
    r = csv.reader(sys.stdin)
    w = csv.writer(sys.stdout)
    clientip = sys.argv[1]
    threatscore = sys.argv[2]

    header = []
    first = True

    for line in r:
        if first:
            header = line
            if clientip not in header:
                print "IP field must exist in CSV data"
                sys.exit(0)
            csv.writer(sys.stdout).writerow(header)
            w = csv.DictWriter(sys.stdout, header)
            first = False
            continue

        # Read the result
        result = {}
        i = 0
        while i < len(header):
            if i < len(line):
                result[header[i]] = line[i]
            else:
                result[header[i]] = ''
            i += 1

        # Perform the lookup
        if len(result[clientip]):
            ts = scorelookup(result[clientip])
            out = "%s,%s" % (result[clientip],ts)
            print out

main()

#f.close()
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...