topic Re: setup.xml: problems with windows scripted input format in Splunk Search

setup.xml: problems with windows scripted input format

mw — Mon, 20 Jun 2011 12:34:01 GMT

I have a setup.xml which uses the following format for scripted inputs on Unix systems:

# inputs.conf
[script://./bin/nmap.sh]

# setup.xml
<block title="Ping Scan" endpoint="admin/script" entity=".%252Fbin%252Fnmap.sh">
  ...
</block>

That works just fine, though I'll admit that I'm not clear on what the "25" part of %252F represents (I realize %2F is a "/" character, and I think %25 is a "%" character?). Anyways, I'm having some problems flipping this around for Windows. What should the "encoded" script path look like? The following doesn't work:

# inputs.conf
[script://.\bin\nmap.cmd]

# setup.xml
<block title="Ping Scan" endpoint="admin/script" entity=".%5Cbin%5Cnmap.cmd">
  ...
</block>

The input stanza works just fine for me. The setup.xml block displays correctly on the setup page as is, but if I try to save it I get an error:

Encountered the following error while trying to update: In handler 'localapps': Cannot edit input &quot;.binnmap.cmd&quot;, no input exists with that name

The error shows no backslash characters, so I'm wondering if they're getting chewed up on the save operation, or just in displaying the error. In any case, I've tried a few variations on the block, but if I move away from just the "%5C" the setup page won't display at all saying that it can't be found or something similar:

<block title="Ping Scan" endpoint="admin/script" entity=".%255Cbin%255Cnmap.cmd">
<block title="Ping Scan" endpoint="admin/script" entity=".%5C5Cbin%5C5Cnmap.cmd">

What am I doing wrong here?

Also, as a side note, while it's not such a big deal in this case, it would be awesome if I could use a forward slash in inputs.conf on both Unix and Windows. i.e. why can't the stanza below just work everywhere?

[script://.bin/foo.py]

Re: setup.xml: problems with windows scripted input format

ziegfried — Mon, 20 Jun 2011 19:02:50 GMT

The easiest way to get the entity for such setup.xml fields is to look at the REST endpoint listing. Just point your browser to https://your-splunk-server:8089/services/data/inputs/script and simply copy the url and take the entity part from it.

Btw. I second the suggestion of being able to specify scripts using forward slashes on Windows.

Update:

In my experience it's better to add scripted inputs by specifying the full path:

[script://$SPLUNK_HOME/etc/apps/myapp/bin/myscript.py]

To illustrate what I was trying to say above:

You can find multiple links (those are links to entities) at the REST page I've mentioned above. For example the link could look like this:

https://localhost:8089/servicesNS/nobody/myapp/admin/script/%24SPLUNK_HOME%5Cetc%5Capps%5Cmyapp%5Cbin%5Cmyscript.py

The entity you have to use in the setup.xml is the part after the last /. ie:

%24SPLUNK_HOME%5Cetc%5Capps%5Cmyapp%5Cbin%5Cmyscript.py

Re: setup.xml: problems with windows scripted input format

mw — Tue, 21 Jun 2011 01:51:20 GMT

Thanks for the help. I actually don't see many of my scripted inputs at that url. In fact, the only place that I could find a reference is here: https://your-splunk-server:8089/services/apps/local/asset_discovery/setup. However, I'm not sure how reliable that is for Splunk's idea of what the encoded path should be versus what my setup routine has specified...

Re: setup.xml: problems with windows scripted input format

hazekamp — Tue, 21 Jun 2011 03:33:40 GMT

I believe the following will work for both unix and windows:

<block title="Ping Scan" endpoint="admin/script" entity=".*bin.*nmap\..*" mode="iter">
...
</block>

Update: It looks like admin/script is interpreting your relative path. For example, on my machine ./bin/nmap.sh translates to /Users/hazekamp/Applications/splunk/etc/system/local/bin/nmap.sh in admin/script.

The wildcarded entity above should be generic enough to match your nmap command.

Re: setup.xml: problems with windows scripted input format

ziegfried — Tue, 21 Jun 2011 07:41:13 GMT

You're using the admin/script endpoint and not any custom setup routine. You should at least see a reference here https://localhost:8089/services/admin/script if your input is configured correctly.

Re: setup.xml: problems with windows scripted input format

mw — Tue, 21 Jun 2011 16:47:25 GMT

That seems to work ok enough to allow the setup page to render, but I still get the same error when I attempt to save (on my [script://.\bin\nmap.cmd] input). I'm at a loss. I don't know if I'm being an idiot, or this is some weird bug...

My comment on format for both Unix and Windows was really directed at inputs.conf (i.e. if I have a python input, why do I need to muck around with forward vs. backslash if I've taken the time to code my python to work on any platform) -- it was a bit of a tangent. 🙂

Re: setup.xml: problems with windows scripted input format

mw — Tue, 21 Jun 2011 17:01:07 GMT

Yeah, I'm confused by that. I don't see much at the other url either. Everything I see at those urls starts with $SPLUNK_HOME and the data is in the default index...

Re: setup.xml: problems with windows scripted input format

ziegfried — Tue, 21 Jun 2011 19:14:01 GMT

I've updated the answer. I hope that's understandable now.

Re: setup.xml: problems with windows scripted input format

jkat54 — Sat, 09 Jul 2016 02:43:59 GMT

I have the same exact problem and it's driving me nuts.

One work around is to have a binary for each type of input (win/lin) something like script.win.py and script.lin.py. But now you have the same code in two python files possibly.

Another work around is to use entity=".*script.win.py" mode="bulk". But now it will enable/disable both the windows and linux inputs each time. Side note, having a linux type scripted input enabled doesnt cause any harm.

Re: setup.xml: problems with windows scripted input format

splunk_mkhan — Tue, 29 Sep 2020 13:12:10 GMT

did you find any solution?I am facing similar issue
I am trying to update input.conf stanza at windows, it is working fine in linux but giving following error in windows 7.

Encountered the following error while trying to update: In handler 'localapps': Cannot find item for POST arg_name="/admin/script/%24SPLUNK_HOME%5Cetc%5Capps%5Cmy_app%5Cbin%5Cmy_script.py%2015/enabled"

For reference, here are excerpts from inputs.conf and setup.xml:

inputs.conf:

 [script://$SPLUNK_HOME\etc\apps\my_app\bin\my_script.py 15]
      disabled = 0

setup.xml

<block title="my script setting"
             endpoint="admin/script"
             entity="%24SPLUNK_HOME%5Cetc%5Capps%5CiSIGHTPartners_ThreatScape_App%5Cbin%5Cmy_script.py%2015">
     <input field="enabled">
         <label>Enable</label>
         <type>bool</type>
     </input>
 </block>

Any help will be appreciated.
thanks,