topic Re: Why is my "/usr/bin/last" script not working? in Getting Data In

Why is my "/usr/bin/last" script not working?

karakutu — Mon, 31 Jul 2017 16:09:16 GMT

i have problem with my basic script.

ist connnten only

#!/bin/sh

/usr/bin/last

i updated also my default/inputs.conf below:

[script://./bin/who.sh]
interval = */1 * * * *
index = main
sourcetype = who

but i can not find the out put of it.

when i delete the /usr/bin/last line and add such echo "test"; it works!!

how can i fix this problem? i know that my script works, but Splunk can not parse it.

Re: Why is my "/usr/bin/last" script not working?

s2_splunk — Mon, 31 Jul 2017 16:56:47 GMT

Have you checked splunkd.log for any hints as to what may be going wrong?

Re: Why is my "/usr/bin/last" script not working?

karakutu — Mon, 31 Jul 2017 17:28:44 GMT

i checked the splunkd.logs but i can do it again.
on the log i can see only that the script is executed

when i change the script content like below:

/usr/bin/last  | awk  -F: '{ print $1 }'

i can find it at the splunk server site. i think something wrong with parsing.

Re: Why is my "/usr/bin/last" script not working?

karakutu — Thu, 03 Aug 2017 07:24:36 GMT

how can i debug such a problem. when i change the content of the script splunk index it.

but i can not index the output of /usr/bin/last

Re: Why is my "/usr/bin/last" script not working?

FritzWittwer_ol — Thu, 03 Aug 2017 07:43:34 GMT

Try to run the script from the command line as the user under wich Splunk is running, Splunk should index what you see as output there. Output which is written to standard error goes to the splunkd.log.

Re: Why is my "/usr/bin/last" script not working?

karakutu — Thu, 03 Aug 2017 12:42:50 GMT

i dont know how. but after i extract a couple of field of log. splunk begin to recognise the logs

thanks

Re: Why is my "/usr/bin/last" script not working?

karakutu — Wed, 09 Aug 2017 15:15:51 GMT

when i change the scipt following its work again

so there is something wrong with the time

/usr/bin/last   | sed  's/:/./g'

root     tty1                          Mon Apr 25 13.24 - 13.26  (00.01)

Re: Why is my "/usr/bin/last" script not working?

FritzWittwer_ol — Wed, 09 Aug 2017 21:47:57 GMT

So the script works, but timestamp and event breaking fails. As long as you don't remove the colons Splunk will use the default settings and recognise this timestamps and brake the events there.
There are various ways to fix it, but the laziest one would be to look at the Splunk Add-on for Unix, or at least the definition of the scripted input and the lastlog stanza from the props.conf.