Can not run a simple action script

Path Finder

Hello Team,

Troubleshooting for few hours the most basic script executed as the action.

Trying manually (search returning ~90 results):
sourcetype="cisco:ios" | runshellscript arg1 arg2 arg3 arg4 arg5 arg6 arg7 "/tmp/test"
got the response: exited with status code: 1

The script content:
cp $8 >/tmp/ttt
(script is executable)

I have /tmp/test readable by all.
As a result i see /tmp/ttt created (it was not existing) but it's empty. Why ?

I want to write mode advanced script like this one:

But can not get the simplest script tested. I have followed troubleshooting guide:
But it's not really helpful.

Could you please help me with this most basic script ?


0 Karma

Hi teknet9,

It is described in Splunk docs that runshellscript is not a supported search command:
This is most likely why your method does not work. arg8 is supposed to be the path to the search results passed by Splunk, and you are manually providing a path where the results should not be.

To test your script I would suggest setting up an alert with a script action (your script).

0 Karma

Path Finder

Sorry, a small update, i had a typoo in my script,
now i have:
sourcetype="cisco:ios" | runshellscript arg1 arg2 arg3 arg4 arg5 arg6 arg7 "/tmp/test.gz"

Exiting with code 2.

While if i execute from shell:
./ arg1 arg2 arg3 a4 a5 a6 a7 /tmp/test.gz

Everything is working fine (my code is executed, file decopressed and so on).
I have my script in /opt/splunk/bin/script

code 2 suggest splunk can not find the script ? Why ?

0 Karma