From the url http://blogs.splunk.com/2009/09/14/enriching-data-with-db-lookups-part-2/
i read the following excerpt
“The Python program gets its city field input via standard CSV input from Splunk, calls SQL to find the corresponding country, and produces the aggregate CSV output that contains the city with its correlated country”
On further analyzing this statement I infer “Splunk Web interface Serializes input to Stdin and the Python Script using a CSV reader object reads the input from Stdin”
Hence the presence of following code snippet in Python external lookup script r = csv.reader(sys.stdin)
Having said that the value of variable “r” is empty and the lookup script does nothing
I arrived at this statement by printing debugging statements to log file
Is there anyone who can help with this?
Hi,
make sure you have imported the csv library:
import csv #for splunk batch input/output
additional to this you need to add a loop to read each line and enrich each line and give it back into std output. here is a sample which reads the client ip, executes the method scorelookup and brings the values back.
br
matthias
def main():
#print 'starte main'
if len(sys.argv) != 3:
print "Usage: python [ip field] [threatscore]"
sys.exit(0)
r = csv.reader(sys.stdin)
w = csv.writer(sys.stdout)
clientip = sys.argv[1]
threatscore = sys.argv[2]
header = []
first = True
for line in r:
if first:
header = line
if clientip not in header:
print "IP field must exist in CSV data"
sys.exit(0)
csv.writer(sys.stdout).writerow(header)
w = csv.DictWriter(sys.stdout, header)
first = False
continue
# Read the result
result = {}
i = 0
while i < len(header):
if i < len(line):
result[header[i]] = line[i]
else:
result[header[i]] = ''
i += 1
# Perform the lookup
if len(result[clientip]):
ts = scorelookup(result[clientip])
out = "%s,%s" % (result[clientip],ts)
print out
main()
#f.close()