Hello,
I would like to call scorelookup.py directly from splunk search using | scorelookup ip 0 (also why must we add an argument after the ip?)
I think I should create commands.conf in etc/apps/search/local
Thanks.
Hi realsplunk,
i think you are asking that you want to call it from the search app. I just did a default installation and the lookup definition you found is set to global by default. So it should work in the search app - scripted lookup is called "threatscore" - not scorelookup. It's also not a search command - it's a scripted lookup so you need to add "lookup" in front of it.
correct use:
lookup threatscore clientip as %yourcustomfieldifnotclientip%
In the lookup you do not need to add another parameter (0). That's just in the config what's coming back to Splunk (IP+Score is sent back from the script into Splunk then).
Hope that helps you.
Best
You're looking for a custom search command, it seems. The scope of implementing one can be large (or not so large), but you probably want to start here: