Getting Data In

Problem configuring lookup table with external script

jcbrendsel
Path Finder

Have been trying to configure a lookup table with an external python script to no avail. Was trying to model it after the following article:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

The our script takes a user_agent field from an apache access log and parses it using the popular ua_parser python library. The is script accepts one input and provides 10 outputs.

I modified props.conf as follows:

[source::/var/log/httpd/videoportal_access.log]
REPORT-1-videoportal_access-log = access-extractions
LOOKUP-ua-parser = userAgentParse user_agent OUTPUT ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family

And I modified transforms.conf as follows:

[userAgentParse]
external_cmd = user_agent_parser.py user_agent ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family
fields_list = user_agent,ua_user_agent_family,ua_user_agent_major,ua_user_agent_minor,ua_os_family,ua_os_major,ua_os_minor,ua_device_is_spider,ua_device_is_mobile,ua_device_family

The problem is that when I load the access file in question, I get an error.

Script for lookup table 'userAgentParse' returned error code 1. Results may be incorrect.

Any suggestions on how I go about debugging this?

0 Karma

vincesesto
Communicator

Hello,

I have been having a lot of issues with my database lookups as well. Does your user_agent_parser.py script output when you call it to the command line...eg, if you parse an csv file to the script, does it connect to the database correctly and give you the desired output?

I would love to know how to debug the lookups correctly as well, so if you find your answer I think I will find my answer.

Regards,

Vince

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...