I have defined the following external field lookup in my transforms.conf:
[virustotal_hash_lookup]
external_type = python
external_cmd = virusTotal.py -fr hash
fields_list = hash, total, positives
If I run the script from the command line, I get the proper CSV output:
/opt/splunk/bin/splunk cmd python virusTotal.py -fr 3ce4cdd9b4bd62c44295824f095d6c389e41dab280f93f17bcf1dcf29130981d
total,positives
47,1
But when I run it, I get the following:
"Script for lookup table 'virustotal_hash_lookup' returned error code 1. Results may be incorrect."