All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problems with URL Toolbox App Installed on a Search Head Cluster

bradp1234
Path Finder
‎05-18-2017 12:12 PM

I have installed the URL Toolbox app on a search head cluster, but the app is not working properly. When I try to use the macros associated with the app, I get these errors

Could not find 'ut_countset.py'. It is required for lookup 'ut_countset_lookup'.
Streamed search execute failed because: Error in 'lookup' command: The lookup table 'ut_countset_lookup' does not exist or is not available.

I have double checked that those objects are in the app and it is installed on the search head. According to the documentation, the app does not need to be installed on the indexers, but to try and fix this error, I installed the app on the indexers anyway. Installing the app on the indexers did not resolve the errors. I have verified the permissions of the files and used the Splunk btool to ensure the stanzas are showing up. The below command displayed lines from the transforms.conf in the utbox folder.

/opt/splunk/bin/splunk btool transforms list --debug | grep ut_

I was able to run the following command, which indicates that the python files are working and do not have permissions issues.

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/slave-apps/APP_utbox/bin/ut_countset.py

Reply

andrewaalin
Explorer
‎04-04-2018 09:55 AM

I had a very similar issue, and found a workaround: adding "local=true" on the lookup statement, to make it run on the search head instead of an indexer.

For a silly example, you could do:

index=_internal | eval my_url_field="www.google.com:1234/path1/path2?blahblah" | lookup local=true ut_parse_simple_lookup url AS my_url_field

An external lookup is looking for scripts in:

  • $SPLUNK_HOME/etc/apps//bin
  • $SPLUNK_HOME/etc/searchscripts

but trying to run from a clustered indexer means that the script instead lives in:
$SPLUNK_HOME/etc/slave-apps//bin

Forcing it to run instead on the search head means that the scripts indeed will exist in:
$SPLUNK_HOME/etc/apps//bin

To make this tidier, you can create a local version of macros.conf, with "local=true" inserted into all lookup statements, either superseding existing macro names, or with new macro names.

The side effect is that you will be taxing your search heads when calling URL Toolbox.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...