Launching tower-cli playbook from Splunk alert


I have setup an alert to run a tower-cli script that kicks off a playbook. I installed tower-cli in /opt/rh on my Splunk server. In order to troubleshoot, I have stripped the script down to just list some users and pipe it to a file. I can run the script at the cli but it will not run from the alert in Splunk. I know the script is kicking off as I also just have a echo command in the script the dumps the timestamp to the same file. Here is my shell script I am calling from my Splunk alert:

Location of script file is: /home/splunk/bin/scripts


echo "date '+%m-%e-%G %H:%M:%S'" >> "/home/splunk/bin/scripts/nac_interfaces.log"
source /opt/rh/python27/enable
/opt/rh/python27/root/usr/bin/tower-cli user list >> "/home/splunk/bin/scripts/nac_interfaces.log"

This is an error I am getting when the above script tries to execute the via the alerts script in Splunk
ERROR script - sid:rt_scheduler_adminsearch_EUCImaging_at_1529626004_20372.268 command="runshellscript", Script: /opt/splunk/bin/scripts/ exited with status code: 127

Does it matter that splunk is installed in /home with a symlink to /opt?
[root@splunk opt]# pwd
[root@splunk opt]# ls -ll
lrwxrwxrwx. 1 splunk splunk 12 Nov 19 2013 splunk -> /home/splunk

Tags (1)
0 Karma


Hi @ndavis4,

BASH throws the error code 127 when it's not able to find the executable in PATH system variable and it is not a built-in shell command. In other words, the system doesn't understand your command, because it doesn't know where to find the binary you're trying to call.
Try giving absolute path for all the executable and make sure that they have +x permissions and splunk user has permissions to execute them

Happy Splunking!
0 Karma


I do have the full path on my Splunk server to run the tower-cli script. I can run the actual tower-cli command that is in the alerts scripts from any path on the CLI.... "/opt/rh/python27/root/usr/bin/tower-cli user list >> "/home/splunk/bin/scripts/nac_interfaces.log"
Just can't execute it from the alerts scripts in Splunk

Not sure what path it can't find. The tower-cli is attempting to login to another server to run the playbook.

Here is the content of the tower-cli file:

[root@splunk bin]# cat tower-cli


# -*- coding: utf-8 -*-
import re
import sys

from import cli

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])

Here is the tower-cli config. foobar would be the host that has the playbook to run

[root@splunk bin]# tower-cli config

# User options (set with `tower-cli config`; stored in ~/.tower_cli.cfg).
username: splunk.service
password: xxxxxxxxx
verify_ssl: False

# Defaults.
use_token: False
verbose: False
format: human
color: True
description_on: False

Could it be a permissions error? When I attempt to run the script at the CLI as a non-root user I get this error: "/opt/rh/python27/root/usr/bin/python2: error while loading shared libraries: cannot open shared object file: No such file or directory"

0 Karma


Yes it could be a permission issue as well as mentioned earlier. sudo as splunk user and try to execute the script

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...