I have a scripted input that takes the "hash" field as an input and outputs JSON. Works like:
python virusTotal.py -fr 1a22e0b7ae19143ec099af972c6a116c244a8cb226c62d0c8bcfa2a269ce7e3c
Output:
New Virus Total instance
**** VIRUS API GO ****
{"response_code": 0, "resource": "1a22e0b7ae19143ec099af972c6a116c244a8cb226c62d0c8bcfa2a269ce7e3c", "verbose_msg": "The requested resource is not among the finished, queued or pending scans"}
The entry in transforms.conf is:
[virustotal_hash_lookup]
external_cmd = virusTotal.py -fr hash
fields_list = hash,result
I run it in Splunk like:
| lookup virustotal_hash_lookup hash OUTPUT result
But the result field is always empty... I don't see any errors when it runs...
Thx.
Craig
Dynamic lookups need both input and output to be in CSV format, so it seems to me you're going about this the wrong way. http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources