Re: TA-user-agents Failing on Splunk Cloud

nickhills · ‎10-23-2025

I have recently deployed this TA, but it is failing to run on our SC Stack.

Attempting to call the lookup with:

|stats count by http_user_agent|lookup user_agents http_user_agent OUTPUT

Search Log reports :

10-23-2025 10:57:21.744 INFO  Timeliner [2977630 DownloadRemoteEventLoopRunner] -  Sending POST request 'redacted.splunkcloud.com/1761217038.13953/events?offset=2113&count=48'
10-23-2025 10:57:21.749 ERROR ExternalProvider [2914921 phase_1] - Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 ERROR SearchOrchestrator [2905027 searchOrchestrator] - Phase_1 failed due to : Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 INFO  SearchStatusEnforcer [2914554 StatusEnforcerThread] - sid=1761217038.13953, newState=FAILED, message=Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 ERROR SearchStatusEnforcer [2914554 StatusEnforcerThread] - SearchMessage orig_component=SearchStatusEnforcer sid=1761217038.13953 message_key= message=Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.
10-23-2025 10:57:21.750 INFO  SearchStatusEnforcer [2914554 StatusEnforcerThread] - State changed to FAILED: Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.

Splunkd.log contains one more useful detail:

10-23-2025 10:57:21.946 +0000 ERROR SearchProcessRunner [1168347 PreforkedSearchesManager-0] - preforked process=0/9376 with search=0/27967 and cmd=splunkd\x00search\x00--id=1761217038.13953\x00--maxbuckets=300\x00--ttl=600\x00--maxout=500000\x00--maxtime=8640000\x00--lookups=1\x00--reduce_freq=10\x00--rf=*\x00--user=redacted.com\x00--pro\x00--roles=power:sc_admin:tokens_auth:user\x00--sslclientsession=SESSION_CACHE_REDACTED died on exception (exit_code=111): Error in 'lookup' command: Script execution failed for external search command '/opt/splunk/etc/apps/TA-user-agents/bin/user_agents.py'.

The app suggests support for SC and versions up to v10, although our stack is currently at 9.3.2411.118
I have asked Cloud-Ops to verify the app is correctly installed and enabled after I SSAI'd it on Victoria, and they have confirmed that in their opinion, there is an issue with the script.

Is anyone else running this TA on Splunk Cloud 9.3x ?
Or can anyone from @aplura help?

If my comment helps, please give it a thumbs up!

aplura_llc_supp · ‎10-23-2025

Aplura Checking In!

I was able to reproduce on Splunk Cloud 10.x. It looks to be a problem with missing package components due to upgrade of the UA Parsing package. Upgrades of the TA would work, but not net-new installs.

I'm working to fix it up, should have a new build out "this month". I'll triple confirm working on Splunk Cloud 10 prior to release 😄

FYI -> Job Inspector -> search.log has the "missing modules" notifications and small stacktrace.

Thanks for letting us know!

richgalloway · ‎10-23-2025

What does python.log say?

---
If this reply helps you, Karma would be appreciated.

nickhills · ‎10-23-2025

Nothing whatsoever.

Not a single error, or mention of the aforementioned script

If my comment helps, please give it a thumbs up!

TA-user-agents Failing on Splunk Cloud

installation

troubleshooting

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation