Splunk Search

How to configure Splunk with my python script for an external lookup?

yko84108
New Member

Hi,

I want to build my own python code that gets parameter IP address, My script using IP2Location and return information about the IP address with IP2Location DB IP2Location
https://www.ip2location.com/developers

So what I did is build my python script that receives IP address and returns CSV row with the result of IP2Location.
My script is located in:
/opt/splunk/etc/apps/search/bin

And in transforms.conf I configured According this tutorial:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Knowledge/Configureexternallookups

[ip2location]
external_cmd = ip2location.py clientip 
fields_list = What shold I write here?

I'm trying to understand:
1. How do I need to configure the section on [ip2location] in transform.conf?
2. What is the meaning of fields_list?
3. How can I make my script to work in Splunk? I just want Splunk to give my script IP address and return csv as result.

Thanks

0 Karma

jkat54
SplunkTrust
SplunkTrust
fields_list = <string>: is a list of all fields that are supported by the external lookup. The fields must be delimited by a comma followed by a space.

The above was in the link you shared. Please read the link again very carefully and I think you’ll resolve your problem.

Where will you “return csv”? Should it return as events in the search pipeline? Or are you making your external lookup code write a csv somewhere on the file system?

0 Karma

yko84108
New Member

Hi,
About 1 - I read that, but what that is mean about my csv? I need to write my csv fields?
"return csv" - mean I'm using python the use csv.writer to write to sys.stdout not to file system

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...