Troubleshooting for few hours the most basic script executed as the action.
Trying manually (search returning ~90 results):
sourcetype="cisco:ios" | runshellscript create_inc.sh arg1 arg2 arg3 arg4 arg5 arg6 arg7 "/tmp/test"
got the response: create_inc.sh exited with status code: 1
The script create_inc.sh content:
cp $8 >/tmp/ttt
(script is executable)
I have /tmp/test readable by all.
As a result i see /tmp/ttt created (it was not existing) but it's empty. Why ?
I want to write mode advanced script like this one:
But can not get the simplest script tested. I have followed troubleshooting guide:
But it's not really helpful.
Could you please help me with this most basic script ?
It is described in Splunk docs that runshellscript is not a supported search command:
This is most likely why your method does not work. arg8 is supposed to be the path to the search results passed by Splunk, and you are manually providing a path where the results should not be.
To test your script I would suggest setting up an alert with a script action (your script).
Sorry, a small update, i had a typoo in my script,
now i have:
sourcetype="cisco:ios" | runshellscript create_inc.sh arg1 arg2 arg3 arg4 arg5 arg6 arg7 "/tmp/test.gz"
Exiting with code 2.
While if i execute from shell:
./create_inc.sh arg1 arg2 arg3 a4 a5 a6 a7 /tmp/test.gz
Everything is working fine (my code is executed, file decopressed and so on).
I have my script in /opt/splunk/bin/script
code 2 suggest splunk can not find the script ? Why ?