Why does scripted input not get executed?

pbnl · ‎08-11-2022

hello all,

i have an app developed on my linux splunk sandbox and it is working fine.
after copying it to the deployment server and deploy it to a UF running on linux, it's not running at all.
the inputs.conf is:

[script://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/bin/getTVlogs.sh]
disabled = false
interval = 0 14 * * *
index = tvlogs
sourcetype = TVlogs

[monitor://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv]
disabled = false
index = tvlogs
sourcetype = TVlogs

so what's wrong here?

any help is welcome 🙂

pbnl · ‎08-12-2022

so nobody else any idea why?

to bring in some more details:
the splunk landscape is build out of 4 servers.
1st is Cluster Master, KV Store, License Master, Search Head
2nd and 3rd are Indexer
4th is Deployment Server

the index tvlogs is defined on the cluster master with a whole bunch of other indexes

etc/master-apps/_cluster/local/indexes.conf
[tvlogs]
repFactor = auto
maxHotSpanSecs = 86400
homePath = $SPLUNK_DB/tvlogs/db
frozenTimePeriodInSecs = 15552000
thawedPath = $SPLUNK_DB/tvlogs/thaweddb
coldPath = $SPLUNK_DB/tvlogs/colddb

and it's deployed to the indexer cluster

splunk@indexer1:[/opt/splunk]: ll var/lib/splunk/tvlogs/*
var/lib/splunk/tvlogs/colddb:
total 8
drwx------ 2 splunk splunk 4096 Jul 22 14:20 ./
drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../

var/lib/splunk/tvlogs/datamodel_summary:
total 8
drwx------ 2 splunk splunk 4096 Jul 22 14:20 ./
drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../

var/lib/splunk/tvlogs/db:
total 16
drwx------ 2 splunk splunk 4096 Aug 10 09:17 ./
drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../
-rw------- 1 splunk splunk  169 Aug 10 09:17 .bucketManifest
-rw------- 1 splunk splunk   10 Jul 22 14:22 CreationTime

the other files are located on the UF where the script should run

splunk@srv141:~/etc/apps/PBNL_getTVlogs$ ll *
bin:
total 20
drwxr-xr-x 2 splunk splunk 4096 Aug 11 14:50 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rwxrw-r-- 1 splunk splunk  573 Aug 11 14:50 getTVlogs.sh*
-rwxrw-r-- 1 splunk splunk  687 Aug 11 13:34 json2csv*

default:
total 16
drwxr-xr-x 3 splunk splunk 4096 Aug 11 13:34 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rw-r--r-- 1 splunk splunk  181 Aug 11 13:34 app.conf
drwxr-xr-x 3 splunk splunk 4096 Aug 11 13:34 data/

local:
total 20
drwxr-xr-x 2 splunk splunk 4096 Aug 11 13:34 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rw-r--r-- 1 splunk splunk   55 Aug 11 13:34 app.conf
-rw-rw-r-- 1 splunk splunk  258 Aug 11 13:34 inputs.conf
-rw-rw-r-- 1 splunk splunk  388 Aug 11 13:34 props.conf

logs:
total 16
drwxr-xr-x 2 splunk splunk   4096 Aug 11 14:49 ./
drwxr-xr-x 7 splunk splunk   4096 Aug 11 13:34 ../

metadata:
total 16
drwxr-xr-x 2 splunk splunk 4096 Aug 11 13:34 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rw-r--r-- 1 splunk splunk  403 Aug 11 13:34 default.meta
-rw-r--r-- 1 splunk splunk  187 Aug 11 13:34 local.meta

do i need to change something here?

richgalloway · ‎08-11-2022

Any errors in the UF's logs?

---
If this reply helps you, Karma would be appreciated.

pbnl · ‎08-11-2022

no. the only thing i see in the UF's log is, that the app is installed.
all files and folders are created. the monitor is created too:

splunk@srv141:~$ splunk list monitor
Monitored Directories:
        $SPLUNK_HOME/var/log/splunk
        some other directories
Monitored Files:
        $SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv
        some other files

Why does scripted input not get executed?

troubleshooting

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Why does scripted input not get executed?

troubleshooting

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0