All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table" after upgrading the IP Reputation App?

mmaier_splunk
Splunk Employee
Splunk Employee
‎03-09-2015 12:12 AM

I just recently upgraded the wonderful IP Reputation app, but now I am running into errors when I try and perform threatscore lookups.

Splunk tells me: 

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

I ran nslookup with my http:BL code and I am getting a valid reply.

When I try and run the scorelookup.py script from the Splunk server, I get the following errors:

: File name too long
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 31: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 32: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 33: import: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 34: from: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 39: key: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 44: debug: command not found
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 46: syntax error near unexpected token `('
/opt/splunk/etc/apps/ipreputation/bin/scorelookup.py: line 46: `    f = open('score_lookup_log.txt', 'a+')'

Any help would be appreciated.

0 Karma
Reply

Matthias_BY
Communicator
‎03-09-2015 12:18 AM

please check if you might have a mismatch of the transforms.conf and lookup script. maybe you have a copy of the transforms.conf in your local folder in the app directory. from version 1.0 to version 1.1 i added new available fields. so ensure that for 1.1 you have the following config:

transforms.conf needs to have:

[threatscore] external_cmd =
scorelookup.py clientip threatscore
fields_list = clientip threatscore
days_since_last_activity visitor_type

check that this content is in $splunkhome/etc/apps/ipreputation/default as well as in local in case you modified there in the config something.

the lookup script needs to be version 1.1. check that in the bin/ directory of the app the header in the scorelookup.py shows:

Version: 1.1

because that version of the python script gives you back additional fields into splunk:

out = "%s,%s,%s,%s" % (ip_address, threat_score, days_since_last_activity, visitor_type)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...