Re: TA-user-agents Failing on Splunk Cloud

nickhills · ‎10-23-2025

I have recently deployed this TA, but it is failing to run on our SC Stack.

Attempting to call the lookup with:

|stats count by http_user_agent|lookup user_agents http_user_agent OUTPUT

Search Log reports :

10-23-2025 10:57:21.744 INFO  Timeliner [2977630 DownloadRemoteEventLoopRunner] -  Sending POST request 'redacted.splunkcloud.com/1761217038.13953/events?offset=2113&count=48'
10-23-2025 10:57:21.749 ERROR ExternalProvider [2914921 phase_1] - Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 ERROR SearchOrchestrator [2905027 searchOrchestrator] - Phase_1 failed due to : Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 INFO  SearchStatusEnforcer [2914554 StatusEnforcerThread] - sid=1761217038.13953, newState=FAILED, message=Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 ERROR SearchStatusEnforcer [2914554 StatusEnforcerThread] - SearchMessage orig_component=SearchStatusEnforcer sid=1761217038.13953 message_key= message=Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 INFO  SearchStatusEnforcer [2914554 StatusEnforcerThread] - State changed to FAILED: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.

Splunkd.log contains one more useful detail:

10-23-2025 10:57:21.946 +0000 ERROR SearchProcessRunner [1168347 PreforkedSearchesManager-0] - preforked process=0/9376 with search=0/27967 and cmd=splunkd\x00search\x00--id=1761217038.13953\x00--maxbuckets=300\x00--ttl=600\x00--maxout=500000\x00--maxtime=8640000\x00--lookups=1\x00--reduce_freq=10\x00--rf=*\x00--user=redacted.com\x00--pro\x00--roles=power:sc_admin:tokens_auth:user\x00--sslclientsession=SESSION_CACHE_REDACTED died on exception (exit_code=111): Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.

The app suggests support for SC and versions up to v10, although our stack is currently at 9.3.2411.118
I have asked Cloud-Ops to verify the app is correctly installed and enabled after I SSAI'd it on Victoria, and they have confirmed that in their opinion, there is an issue with the script.

Is anyone else running this TA on Splunk Cloud 9.3x ?
Or can anyone from @aplura help?

If my comment helps, please give it a thumbs up!

aplura_llc_supp · ‎10-23-2025

Aplura Checking In!

I was able to reproduce on Splunk Cloud 10.x. It looks to be a problem with missing package components due to upgrade of the UA Parsing package. Upgrades of the TA would work, but not net-new installs.

I'm working to fix it up, should have a new build out "this month". I'll triple confirm working on Splunk Cloud 10 prior to release 😄

FYI -> Job Inspector -> search.log has the "missing modules" notifications and small stacktrace.

Thanks for letting us know!

richgalloway · ‎10-23-2025

What does python.log say?

---
If this reply helps you, Karma would be appreciated.

nickhills · ‎10-23-2025

Nothing whatsoever.

Not a single error, or mention of the aforementioned script

If my comment helps, please give it a thumbs up!

TA-user-agents Failing on Splunk Cloud

installation

troubleshooting

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation