All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA-user-agents Failing on Splunk Cloud

nickhills
Ultra Champion
3 weeks ago

I have recently deployed this TA, but it is failing to run on our SC Stack.

Attempting to call the lookup with:

|stats count by http_user_agent|lookup user_agents http_user_agent OUTPUT



Search Log reports :

10-23-2025 10:57:21.744 INFO  Timeliner [2977630 DownloadRemoteEventLoopRunner] -  Sending POST request 'redacted.splunkcloud.com/1761217038.13953/events?offset=2113&count=48'
10-23-2025 10:57:21.749 ERROR ExternalProvider [2914921 phase_1] - Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 ERROR SearchOrchestrator [2905027 searchOrchestrator] - Phase_1 failed due to : Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 INFO  SearchStatusEnforcer [2914554 StatusEnforcerThread] - sid=1761217038.13953, newState=FAILED, message=Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 ERROR SearchStatusEnforcer [2914554 StatusEnforcerThread] - SearchMessage orig_component=SearchStatusEnforcer sid=1761217038.13953 message_key= message=Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 INFO  SearchStatusEnforcer [2914554 StatusEnforcerThread] - State changed to FAILED: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.


Splunkd.log contains one more useful detail:

10-23-2025 10:57:21.946 +0000 ERROR SearchProcessRunner [1168347 PreforkedSearchesManager-0] - preforked process=0/9376 with search=0/27967 and cmd=splunkd\x00search\x00--id=1761217038.13953\x00--maxbuckets=300\x00--ttl=600\x00--maxout=500000\x00--maxtime=8640000\x00--lookups=1\x00--reduce_freq=10\x00--rf=*\x00--user=redacted.com\x00--pro\x00--roles=power:sc_admin:tokens_auth:user\x00--sslclientsession=SESSION_CACHE_REDACTED died on exception (exit_code=111): Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.

  
The app suggests support for SC and versions up to v10, although our stack is currently at 9.3.2411.118
I have asked Cloud-Ops to verify the app is correctly installed and enabled after I SSAI'd it on Victoria, and they have confirmed that in their opinion, there is an issue with the script.

Is anyone else running this TA on Splunk Cloud 9.3x ?
Or can anyone from @aplura help?


If my comment helps, please give it a thumbs up!
Labels (2)
Labels
0 Karma
Reply

aplura_llc_supp
Communicator
3 weeks ago

Aplura Checking In!

I was able to reproduce on Splunk Cloud 10.x. It looks to be a problem with missing package components due to upgrade of the UA Parsing package. Upgrades of the TA would work, but not net-new installs.

I'm working to fix it up, should have a new build out "this month". I'll triple confirm working on Splunk Cloud 10 prior to release 😄

FYI -> Job Inspector -> search.log has the "missing modules" notifications and small stacktrace. 

Thanks for letting us know!

Reply

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

What does python.log say?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nickhills
Ultra Champion
3 weeks ago

Nothing whatsoever.

nickhills_0-1761225745860.png

Not a single error, or mention of the aforementioned script

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...