Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

External Python Lookup not working with Splunk 8.0 with Python 3

blueelvis
Engager
‎12-05-2019 06:01 AM

Hi,

  1. I have setup Splunk v8.0 in a separate VM and configured it to run strictly Python 3. Both my environments (Splunk v7 & Splunk v8) are wired to pull the same data for Audit/Operational logs from Azure. Despite having the same configuration for the External Lookup, I am getting NIL values in response in Splunk v8. I checked the input which was being passed to the script as well and it is not correct from what I see because that data is not present in the context of that search and other records are not being sent to the lookup script.

  2. Furthermore, when I try to execute the lookup with Splunk’s Command line Python, the script executes properly and I am able to see the logs and response as well –

    PS C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin> & "C:\Program Files\Splunk\bin\splunk.exe" cmd python3 Transformation.py '{\"Id\":\"9afcad57-09c3-4d2d-9049-18b15e733f66\",\"Properties\":{\"PrincipalId\":\"e0572058-cc90-453d-adc9-3
    e60a1361006\",\"RoleDefinitionId\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"Scope\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC
    /providers/Microsoft.Web/sites/cus-fun-01\"}}'
    {"Id":"9afcad57-09c3-4d2d-9049-18b15e733f66","Properties":{"PrincipalId":"e0572058-cc90-453d-adc9-3e60a1361006","RoleDefinitionId":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
    ,"Scope":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01"}}
    {'Name': 'read-only', 'Type': 'User'}
    BuiltInRole/Reader
    /subscriptions/Azure Subscription/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01

This implies that the Lookup script is compatible with Python 3 and is working with Splunk’s inbuild Python 3 interpreter but looks like something is going wrong when data is coming in when Splunk is trying to look up as part of a search. Whenever the search happens with this External Lookup in Splunk, it gives me NIL values for several records which are not part of the search context and when I try navigating to those records, Splunk doesn’t find any.

Any idea what might be the issue here?

Thanks,
Pranav

0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...