Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

External Python Lookup not working with Splunk 8.0 with Python 3

blueelvis
Engager
‎12-05-2019 06:01 AM

Hi,

  1. I have setup Splunk v8.0 in a separate VM and configured it to run strictly Python 3. Both my environments (Splunk v7 & Splunk v8) are wired to pull the same data for Audit/Operational logs from Azure. Despite having the same configuration for the External Lookup, I am getting NIL values in response in Splunk v8. I checked the input which was being passed to the script as well and it is not correct from what I see because that data is not present in the context of that search and other records are not being sent to the lookup script.

  2. Furthermore, when I try to execute the lookup with Splunk’s Command line Python, the script executes properly and I am able to see the logs and response as well –

    PS C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin> & "C:\Program Files\Splunk\bin\splunk.exe" cmd python3 Transformation.py '{\"Id\":\"9afcad57-09c3-4d2d-9049-18b15e733f66\",\"Properties\":{\"PrincipalId\":\"e0572058-cc90-453d-adc9-3
    e60a1361006\",\"RoleDefinitionId\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"Scope\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC
    /providers/Microsoft.Web/sites/cus-fun-01\"}}'
    {"Id":"9afcad57-09c3-4d2d-9049-18b15e733f66","Properties":{"PrincipalId":"e0572058-cc90-453d-adc9-3e60a1361006","RoleDefinitionId":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
    ,"Scope":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01"}}
    {'Name': 'read-only', 'Type': 'User'}
    BuiltInRole/Reader
    /subscriptions/Azure Subscription/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01

This implies that the Lookup script is compatible with Python 3 and is working with Splunk’s inbuild Python 3 interpreter but looks like something is going wrong when data is coming in when Splunk is trying to look up as part of a search. Whenever the search happens with this External Lookup in Splunk, it gives me NIL values for several records which are not part of the search context and when I try navigating to those records, Splunk doesn’t find any.

Any idea what might be the issue here?

Thanks,
Pranav

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top