Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- External Python Lookup not working with Splunk 8.0...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
External Python Lookup not working with Splunk 8.0 with Python 3
Hi,
- I have setup Splunk v8.0 in a separate VM and configured it to run strictly Python 3. Both my environments (Splunk v7 & Splunk v8) are wired to pull the same data for Audit/Operational logs from Azure. Despite having the same configuration for the External Lookup, I am getting NIL values in response in Splunk v8. I checked the input which was being passed to the script as well and it is not correct from what I see because that data is not present in the context of that search and other records are not being sent to the lookup script.
Furthermore, when I try to execute the lookup with Splunk’s Command line Python, the script executes properly and I am able to see the logs and response as well –
PS C:\Program Files\Splunk\etc\apps\Splunk_TA_microsoft-cloudservices\bin> & "C:\Program Files\Splunk\bin\splunk.exe" cmd python3 Transformation.py '{\"Id\":\"9afcad57-09c3-4d2d-9049-18b15e733f66\",\"Properties\":{\"PrincipalId\":\"e0572058-cc90-453d-adc9-3
e60a1361006\",\"RoleDefinitionId\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"Scope\":\"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC
/providers/Microsoft.Web/sites/cus-fun-01\"}}'
{"Id":"9afcad57-09c3-4d2d-9049-18b15e733f66","Properties":{"PrincipalId":"e0572058-cc90-453d-adc9-3e60a1361006","RoleDefinitionId":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
,"Scope":"/subscriptions/66d477ee-6241-4568-9e3f-d533bd3a8953/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01"}}
{'Name': 'read-only', 'Type': 'User'}
BuiltInRole/Reader
/subscriptions/Azure Subscription/resourceGroups/ARC/providers/Microsoft.Web/sites/cus-fun-01
This implies that the Lookup script is compatible with Python 3 and is working with Splunk’s inbuild Python 3 interpreter but looks like something is going wrong when data is coming in when Splunk is trying to look up as part of a search. Whenever the search happens with this External Lookup in Splunk, it gives me NIL values for several records which are not part of the search context and when I try navigating to those records, Splunk doesn’t find any.
Any idea what might be the issue here?
Thanks,
Pranav
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
