Getting Data In

Problem configuring lookup table with external script

jcbrendsel
Path Finder

Have been trying to configure a lookup table with an external python script to no avail. Was trying to model it after the following article:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

The our script takes a user_agent field from an apache access log and parses it using the popular ua_parser python library. The is script accepts one input and provides 10 outputs.

I modified props.conf as follows:

[source::/var/log/httpd/videoportal_access.log]
REPORT-1-videoportal_access-log = access-extractions
LOOKUP-ua-parser = userAgentParse user_agent OUTPUT ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family

And I modified transforms.conf as follows:

[userAgentParse]
external_cmd = user_agent_parser.py user_agent ua_user_agent_family ua_user_agent_major ua_user_agent_minor ua_os_family ua_os_major ua_os_minor ua_device_is_spider ua_device_is_mobile ua_device_family
fields_list = user_agent,ua_user_agent_family,ua_user_agent_major,ua_user_agent_minor,ua_os_family,ua_os_major,ua_os_minor,ua_device_is_spider,ua_device_is_mobile,ua_device_family

The problem is that when I load the access file in question, I get an error.

Script for lookup table 'userAgentParse' returned error code 1. Results may be incorrect.

Any suggestions on how I go about debugging this?

0 Karma

vincesesto
Communicator

Hello,

I have been having a lot of issues with my database lookups as well. Does your user_agent_parser.py script output when you call it to the command line...eg, if you parse an csv file to the script, does it connect to the database correctly and give you the desired output?

I would love to know how to debug the lookups correctly as well, so if you find your answer I think I will find my answer.

Regards,

Vince

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...