All Apps and Add-ons

File Meta Data on Universal Forwarder

Venkat_16
Contributor

I am trying to get file changes and metadata information for certain directories.
Can this app File/Directory Information Input be used in Universal Forwarder or does it need heavy forwarder/Enterprise Splunk?

0 Karma

LukeMurphey
Champion

The File/Directory Information Input app does use Python and thus does need a Heavy Forwarder.

Update:
I'm looking into supporting this in a later release. See http://lukemurphey.net/issues/1068 for progress updates.

Update [2]:
As of version 1.3, Universal Forwarders are supported provided the host has Python installed.

Venkat_16
Contributor

Agreed.
Is there any option to leverage the python installed in OS. Any workaround?

0 Karma

LukeMurphey
Champion

I haven't tried using system Python to run modular inputs before. I think it may be possible with a small change to the modular input class. Currently, it uses make_splunkhome_path from splunk.appserver.mrsparkle.lib.util which won't be available on system Python. I could make that optional though.

I'm willing to try.

0 Karma

Venkat_16
Contributor

Thanks Luke.

Also, another request is - will it be possible to use cron schedule in the interval field instead of specifying (10m,2h, etc.)?
Does that work already in this app (or in your website monitoring app etc) or it cannot be implemented at all?

0 Karma

LukeMurphey
Champion

It isn't possible now but I'm looking into (http://lukemurphey.net/issues/1095)

0 Karma

sumgadde
New Member

I am getting same error : ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "ab_filemetadata_xx_inputs": Introspecting scheme=file_meta_data: script running failed (exited with code 1).
Python is Running on UF.

inputs.conf

[file_meta_data://Test]
depth_limit = 0
file_hash_limit = 500MB
file_path = /home/gaddes/test.txt
include_file_hash = 0
index = main
interval = 2m
only_if_changed = 1
recurse = 1
disabled = 0
Is there any pointer to resolve this issue ?

Add your comment...

0 Karma

LukeMurphey
Champion

This is fixed in version 1.4.2.

0 Karma

Venkat_16
Contributor

I see the below error in splunkd.log of Universal Forwarder..

ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "file_meta_data": Introspecting scheme=file_meta_data: script running failed (exited with code 1)

My understanding is that, Splunk Universal Forwarder does not have python on its own.
I have python in OS, how do I leverage and acheive this?

0 Karma

sumgadde
New Member

I am getting same error : ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "ab_filemetadata_xx_inputs": Introspecting scheme=file_meta_data: script running failed (exited with code 1).
Python is Running on UF.

inputs.conf

[file_meta_data://Test]
depth_limit = 0
file_hash_limit = 500MB
file_path = /home/gaddes/test.txt
include_file_hash = 0
index = main
interval = 2m
only_if_changed = 1
recurse = 1
disabled = 0
Is there any pointer to resolve this issue ?

0 Karma

LukeMurphey
Champion

Make sure to use the most recent version of the app. There was an issue I recently fixed that prevented the app from working on Universal Forwarders.

0 Karma

sumgadde
New Member

I am using version 1.3 , I assume this version supports UF on which Python is installed. Is there any other pointer ? Should I need to use later version of the App ? If Yes , which Files do I need to update like file_meta_data.py ?
Thanks for Support ...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...