Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

External Python Lookup not working with Splunk 8.0 with Python 3

blueelvis
Engager
‎12-05-2019 06:01 AM

Hi,

  1. I have setup Splunk v8.0 in a separate VM and configured it to run strictly Python 3. Both my environments (Splunk v7 & Splunk v8) are wired to pull the same data for Audit/Operational logs from Azure. Despite having the same configuration for the External Lookup, I am getting NIL values in response in Splunk v8. I checked the input which was being passed to the script as well and it is not correct from what I see because that data is not present in the context of that search and other records are not being sent to the lookup script.

  2. Furthermore, when I try to execute the lookup with Splunk’s Command line Python, the script executes properly and I am able to see the logs and response as well –

    PS C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin> & "C:\Program Files\Splunk\bin\splunk.exe" cmd python3 Transformation.py '{\"Id\":\"9afcad57-09c3-4d2d-9049-18b15e733f66\",\"Properties\":{\"PrincipalId\":\"e0572058-cc90-453d-adc9-3
    e60a1361006\",\"RoleDefinitionId\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"Scope\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC
    /providers/Microsoft.Web/sites/cus-fun-01\"}}'
    {"Id":"9afcad57-09c3-4d2d-9049-18b15e733f66","Properties":{"PrincipalId":"e0572058-cc90-453d-adc9-3e60a1361006","RoleDefinitionId":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
    ,"Scope":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01"}}
    {'Name': 'read-only', 'Type': 'User'}
    BuiltInRole/Reader
    /subscriptions/Azure Subscription/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01

This implies that the Lookup script is compatible with Python 3 and is working with Splunk’s inbuild Python 3 interpreter but looks like something is going wrong when data is coming in when Splunk is trying to look up as part of a search. Whenever the search happens with this External Lookup in Splunk, it gives me NIL values for several records which are not part of the search context and when I try navigating to those records, Splunk doesn’t find any.

Any idea what might be the issue here?

Thanks,
Pranav

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...