I had a very similar issue, and found a workaround: adding "local=true" on the lookup statement, to make it run on the search head instead of an indexer.
For a silly example, you could do:
index=_internal | eval my_url_field="www.google.com:1234/path1/path2?blahblah" | lookup local=true ut_parse_simple_lookup url AS my_url_field
An external lookup is looking for scripts in:
but trying to run from a clustered indexer means that the script instead lives in:
Forcing it to run instead on the search head means that the scripts indeed will exist in:
To make this tidier, you can create a local version of macros.conf, with "local=true" inserted into all lookup statements, either superseding existing macro names, or with new macro names.
The side effect is that you will be taxing your search heads when calling URL Toolbox.
... View more