All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" after upgrading the IP Reputation App?

mmaier_splunk
Splunk Employee
Splunk Employee
‎03-09-2015 12:12 AM

I just recently upgraded the wonderful IP Reputation app, but now I am running into errors when I try and perform threatscore lookups.

Splunk tells me: 

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

I ran nslookup with my http:BL code and I am getting a valid reply.

When I try and run the scorelookup.py script from the Splunk server, I get the following errors:

: File name too long
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 31: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 32: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 33: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 34: from: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 39: key: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 44: debug: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 46: syntax error near unexpected token `('
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 46: `    f = open('score_lookup_log.txt', 'a+')'

Any help would be appreciated.

0 Karma
Reply

Matthias_BY
Communicator
‎03-09-2015 12:18 AM

please check if you might have a mismatch of the transforms.conf and lookup script. maybe you have a copy of the transforms.conf in your local folder in the app directory. from version 1.0 to version 1.1 i added new available fields. so ensure that for 1.1 you have the following config:

transforms.conf needs to have:

[threatscore] external_cmd =
scorelookup.py clientip threatscore
fields_list = clientip threatscore
days_since_last_activity visitor_type

check that this content is in $splunkhome/etc/apps/ipreputation/default as well as in local in case you modified there in the config something.

the lookup script needs to be version 1.1. check that in the bin/ directory of the app the header in the scorelookup.py shows:

Version: 1.1

because that version of the python script gives you back additional fields into splunk:

out = "%s,%s,%s,%s" % (ip_address, threat_score, days_since_last_activity, visitor_type)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...