All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problems with URL Toolbox App Installed on a Search Head Cluster

bradp1234
Path Finder
‎05-18-2017 12:12 PM

I have installed the URL Toolbox app on a search head cluster, but the app is not working properly. When I try to use the macros associated with the app, I get these errors

Could not find 'ut_countset.py'. It is required for lookup 'ut_countset_lookup'.
Streamed search execute failed because: Error in 'lookup' command: The lookup table 'ut_countset_lookup' does not exist or is not available.

I have double checked that those objects are in the app and it is installed on the search head. According to the documentation, the app does not need to be installed on the indexers, but to try and fix this error, I installed the app on the indexers anyway. Installing the app on the indexers did not resolve the errors. I have verified the permissions of the files and used the Splunk btool to ensure the stanzas are showing up. The below command displayed lines from the transforms.conf in the utbox folder.

/opt/splunk/bin/splunk btool transforms list --debug | grep ut_

I was able to run the following command, which indicates that the python files are working and do not have permissions issues.

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/slave-apps/APP_utbox/bin/ut_countset.py

Reply

andrewaalin
Explorer
‎04-04-2018 09:55 AM

I had a very similar issue, and found a workaround: adding "local=true" on the lookup statement, to make it run on the search head instead of an indexer.

For a silly example, you could do:

index=_internal | eval my_url_field="www.google.com:1234/path1/path2?blahblah" | lookup local=true ut_parse_simple_lookup url AS my_url_field

An external lookup is looking for scripts in:

  • $SPLUNK_HOME/etc/apps//bin
  • $SPLUNK_HOME/etc/searchscripts

but trying to run from a clustered indexer means that the script instead lives in:
$SPLUNK_HOME/etc/slave-apps//bin

Forcing it to run instead on the search head means that the scripts indeed will exist in:
$SPLUNK_HOME/etc/apps//bin

To make this tidier, you can create a local version of macros.conf, with "local=true" inserted into all lookup statements, either superseding existing macro names, or with new macro names.

The side effect is that you will be taxing your search heads when calling URL Toolbox.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...