Getting Data In

Problem configuring lookup table with external script

jcbrendsel
Path Finder

Have been trying to configure a lookup table with an external python script to no avail. Was trying to model it after the following article:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

The our script takes a user_agent field from an apache access log and parses it using the popular ua_parser python library. The is script accepts one input and provides 10 outputs.

I modified props.conf as follows:

[source::/var/log/httpd/videoportal_access.log]
REPORT-1-videoportal_access-log = access-extractions
LOOKUP-ua-parser = userAgentParse user_agent OUTPUT ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family

And I modified transforms.conf as follows:

[userAgentParse]
external_cmd = user_agent_parser.py user_agent ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family
fields_list = user_agent,ua_user_agent_family,ua_user_agent_major,ua_user_agent_minor,ua_os_family,ua_os_major,ua_os_minor,ua_device_is_spider,ua_device_is_mobile,ua_device_family

The problem is that when I load the access file in question, I get an error.

Script for lookup table 'userAgentParse' returned error code 1. Results may be incorrect.

Any suggestions on how I go about debugging this?

0 Karma

vincesesto
Communicator

Hello,

I have been having a lot of issues with my database lookups as well. Does your user_agent_parser.py script output when you call it to the command line...eg, if you parse an csv file to the script, does it connect to the database correctly and give you the desired output?

I would love to know how to debug the lookups correctly as well, so if you find your answer I think I will find my answer.

Regards,

Vince

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...