Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

External Python Lookup not working with Splunk 8.0 with Python 3

blueelvis
Engager
‎12-05-2019 06:01 AM

Hi,

  1. I have setup Splunk v8.0 in a separate VM and configured it to run strictly Python 3. Both my environments (Splunk v7 & Splunk v8) are wired to pull the same data for Audit/Operational logs from Azure. Despite having the same configuration for the External Lookup, I am getting NIL values in response in Splunk v8. I checked the input which was being passed to the script as well and it is not correct from what I see because that data is not present in the context of that search and other records are not being sent to the lookup script.

  2. Furthermore, when I try to execute the lookup with Splunk’s Command line Python, the script executes properly and I am able to see the logs and response as well –

    PS C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin> & "C:\Program Files\Splunk\bin\splunk.exe" cmd python3 Transformation.py '{\"Id\":\"9afcad57-09c3-4d2d-9049-18b15e733f66\",\"Properties\":{\"PrincipalId\":\"e0572058-cc90-453d-adc9-3
    e60a1361006\",\"RoleDefinitionId\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"Scope\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC
    /providers/Microsoft.Web/sites/cus-fun-01\"}}'
    {"Id":"9afcad57-09c3-4d2d-9049-18b15e733f66","Properties":{"PrincipalId":"e0572058-cc90-453d-adc9-3e60a1361006","RoleDefinitionId":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
    ,"Scope":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01"}}
    {'Name': 'read-only', 'Type': 'User'}
    BuiltInRole/Reader
    /subscriptions/Azure Subscription/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01

This implies that the Lookup script is compatible with Python 3 and is working with Splunk’s inbuild Python 3 interpreter but looks like something is going wrong when data is coming in when Splunk is trying to look up as part of a search. Whenever the search happens with this External Lookup in Splunk, it gives me NIL values for several records which are not part of the search context and when I try navigating to those records, Splunk doesn’t find any.

Any idea what might be the issue here?

Thanks,
Pranav

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...