Splunk Search

External lookup not working...

responsys_cm
Builder

I have a scripted input that takes the "hash" field as an input and outputs JSON. Works like:

python virusTotal.py -fr 1a22e0b7ae19143ec099af972c6a116c244a8cb226c62d0c8bcfa2a269ce7e3c

Output:

New Virus Total instance
**** VIRUS API GO ****

{"response_code": 0, "resource": "1a22e0b7ae19143ec099af972c6a116c244a8cb226c62d0c8bcfa2a269ce7e3c", "verbose_msg": "The requested resource is not among the finished, queued or pending scans"}

The entry in transforms.conf is:

[virustotal_hash_lookup]

external_cmd = virusTotal.py -fr hash

fields_list = hash,result

I run it in Splunk like:

| lookup virustotal_hash_lookup hash OUTPUT result

But the result field is always empty... I don't see any errors when it runs...

Thx.

Craig

Tags (2)
0 Karma

Ayn
Legend

Dynamic lookups need both input and output to be in CSV format, so it seems to me you're going about this the wrong way. http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...