Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem configuring lookup table with external script

jcbrendsel
Path Finder
‎06-18-2012 03:57 PM

Have been trying to configure a lookup table with an external python script to no avail. Was trying to model it after the following article:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

The our script takes a user_agent field from an apache access log and parses it using the popular ua_parser python library. The is script accepts one input and provides 10 outputs.

I modified props.conf as follows:

[source::/var/log/httpd/videoportal_access.log]
REPORT-1-videoportal_access-log = access-extractions
LOOKUP-ua-parser = userAgentParse user_agent OUTPUT ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family

And I modified transforms.conf as follows:

[userAgentParse]
external_cmd = user_agent_parser.py user_agent ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family
fields_list = user_agent,ua_user_agent_family,ua_user_agent_major,ua_user_agent_minor,ua_os_family,ua_os_major,ua_os_minor,ua_device_is_spider,ua_device_is_mobile,ua_device_family

The problem is that when I load the access file in question, I get an error.

Script for lookup table 'userAgentParse' returned error code 1. Results may be incorrect.

Any suggestions on how I go about debugging this?

0 Karma
Reply

vincesesto
Communicator
‎09-28-2012 12:05 AM

Hello,

I have been having a lot of issues with my database lookups as well. Does your user_agent_parser.py script output when you call it to the command line...eg, if you parse an csv file to the script, does it connect to the database correctly and give you the desired output?

I would love to know how to debug the lookups correctly as well, so if you find your answer I think I will find my answer.

Regards,

Vince

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...