All Apps and Add-ons

Problems with URL Toolbox App Installed on a Search Head Cluster

Path Finder

I have installed the URL Toolbox app on a search head cluster, but the app is not working properly. When I try to use the macros associated with the app, I get these errors

Could not find ''. It is required for lookup 'ut_countset_lookup'.
Streamed search execute failed because: Error in 'lookup' command: The lookup table 'ut_countset_lookup' does not exist or is not available.

I have double checked that those objects are in the app and it is installed on the search head. According to the documentation, the app does not need to be installed on the indexers, but to try and fix this error, I installed the app on the indexers anyway. Installing the app on the indexers did not resolve the errors. I have verified the permissions of the files and used the Splunk btool to ensure the stanzas are showing up. The below command displayed lines from the transforms.conf in the utbox folder.

/opt/splunk/bin/splunk btool transforms list --debug | grep ut_

I was able to run the following command, which indicates that the python files are working and do not have permissions issues.

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/slave-apps/APP_utbox/bin/


I had a very similar issue, and found a workaround: adding "local=true" on the lookup statement, to make it run on the search head instead of an indexer.

For a silly example, you could do:

index=_internal | eval my_url_field="" | lookup local=true ut_parse_simple_lookup url AS my_url_field 

An external lookup is looking for scripts in:

  • $SPLUNK_HOME/etc/apps//bin
  • $SPLUNK_HOME/etc/searchscripts

but trying to run from a clustered indexer means that the script instead lives in:

Forcing it to run instead on the search head means that the scripts indeed will exist in:

To make this tidier, you can create a local version of macros.conf, with "local=true" inserted into all lookup statements, either superseding existing macro names, or with new macro names.

The side effect is that you will be taxing your search heads when calling URL Toolbox.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...