I just recently upgraded the wonderful IP Reputation app, but now I am running into errors when I try and perform threatscore lookups.
Splunk tells me:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
I ran nslookup with my http:BL code and I am getting a valid reply.
When I try and run the scorelookup.py script from the Splunk server, I get the following errors:
: File name too long
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 31: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 32: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 33: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 34: from: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 39: key: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 44: debug: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 46: syntax error near unexpected token `('
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 46: ` f = open('score_lookup_log.txt', 'a+')'
Any help would be appreciated.
please check if you might have a mismatch of the transforms.conf and lookup script. maybe you have a copy of the transforms.conf in your local folder in the app directory. from version 1.0 to version 1.1 i added new available fields. so ensure that for 1.1 you have the following config:
transforms.conf needs to have:
[threatscore] external_cmd =
scorelookup.py clientip threatscore
fields_list = clientip threatscore
days_since_last_activity visitor_type
check that this content is in $splunkhome/etc/apps/ipreputation/default as well as in local in case you modified there in the config something.
the lookup script needs to be version 1.1. check that in the bin/ directory of the app the header in the scorelookup.py shows:
Version: 1.1
because that version of the python script gives you back additional fields into splunk:
out = "%s,%s,%s,%s" % (ip_address, threat_score, days_since_last_activity, visitor_type)