please check if you might have a mismatch of the transforms.conf and lookup script. maybe you have a copy of the transforms.conf in your local folder in the app directory. from version 1.0 to version 1.1 i added new available fields. so ensure that for 1.1 you have the following config:
transforms.conf needs to have:
[threatscore] external_cmd =
scorelookup.py clientip threatscore
fields_list = clientip threatscore
days_since_last_activity visitor_type
check that this content is in $splunkhome/etc/apps/ipreputation/default as well as in local in case you modified there in the config something.
the lookup script needs to be version 1.1. check that in the bin/ directory of the app the header in the scorelookup.py shows:
Version: 1.1
because that version of the python script gives you back additional fields into splunk:
out = "%s,%s,%s,%s" % (ip_address, threat_score, days_since_last_activity, visitor_type)
... View more