All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to avoid ExecProcessor rescheduling?

denissotoacc
Path Finder
‎07-20-2022 12:32 PM

I've configured an inputs.conf to run a single .bat script:

 

 

[script://.\bin\scripts\prueba_py.bat]
disabled = 0
_TCP_ROUTING = splunkcloud_prod
index = ldcsap
sourcetype = _json
interval = 0-59/5 * * * *

 

 


My batch script prueba_py.bat just execute a python script called prueba_py.py:

 

 

@echo off
python.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\scripts\prueba_py.py"
exit /b 0

 

 


And finally my python script only creates a dictionary, convert it to json and print it:

 

 

import json

person = {"name":"Denis","surname":"Soto","age":"34"}
print(json.dumps(person))
exit(0)

 

 

Assuming the inputs.conf stanza, it should be executed every 5 minutes, using the TCP_ROUTING and indexing the data to "ldcsap" index. Well... that's not happening.

I'm receiving the following INFO alert in splunkd.log, I cannot find the error.

07-20-2022 16:30:00.033 -0300 INFO ExecProcessor [6652 ExecProcessor] - setting reschedule_ms=299967, for
command="C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\scripts\prueba_py.bat"

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2022 01:22 PM

The INFO message is saying the script will run again in 5 minutes (minus 33 ms).  That's what you want, right?

If the scripted input is not doing what is expected then you should check the splunkd and python logs for messages that might explain why it is failing.

I suspect the problem stems from Splunk Universal Forwarders not having a Python interpreter (unlike heavy forwarders).  The version of Python installed won't have the Splunk-specific modules that automatically index the script's output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-20-2022 11:31 PM

Exactly, you could use Heavy Forwarder and use python script directly.

Printing from an external python interpreter will not index the data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...