Re: scripted input does not get executed

pbnl · ‎08-11-2022

hello all,

i have an app developed on my linux splunk sandbox and it is working fine.
after copying it to the deployment server and deploy it to a UF running on linux, it's not running at all.
the inputs.conf is:

[script://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/bin/getTVlogs.sh]
disabled = false
interval = 0 14 * * *
index = tvlogs
sourcetype = TVlogs

[monitor://$SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv]
disabled = false
index = tvlogs
sourcetype = TVlogs

so what's wrong here?

any help is welcome 🙂

pbnl · ‎08-12-2022

so nobody else any idea why?

to bring in some more details:
the splunk landscape is build out of 4 servers.
1st is Cluster Master, KV Store, License Master, Search Head
2nd and 3rd are Indexer
4th is Deployment Server

the index tvlogs is defined on the cluster master with a whole bunch of other indexes

etc/master-apps/_cluster/local/indexes.conf
[tvlogs]
repFactor = auto
maxHotSpanSecs = 86400
homePath = $SPLUNK_DB/tvlogs/db
frozenTimePeriodInSecs = 15552000
thawedPath = $SPLUNK_DB/tvlogs/thaweddb
coldPath = $SPLUNK_DB/tvlogs/colddb

and it's deployed to the indexer cluster

splunk@indexer1:[/opt/splunk]: ll var/lib/splunk/tvlogs/*
var/lib/splunk/tvlogs/colddb:
total 8
drwx------ 2 splunk splunk 4096 Jul 22 14:20 ./
drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../

var/lib/splunk/tvlogs/datamodel_summary:
total 8
drwx------ 2 splunk splunk 4096 Jul 22 14:20 ./
drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../

var/lib/splunk/tvlogs/db:
total 16
drwx------ 2 splunk splunk 4096 Aug 10 09:17 ./
drwx------ 6 splunk splunk 4096 Jul 22 14:20 ../
-rw------- 1 splunk splunk  169 Aug 10 09:17 .bucketManifest
-rw------- 1 splunk splunk   10 Jul 22 14:22 CreationTime

the other files are located on the UF where the script should run

splunk@srv141:~/etc/apps/PBNL_getTVlogs$ ll *
bin:
total 20
drwxr-xr-x 2 splunk splunk 4096 Aug 11 14:50 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rwxrw-r-- 1 splunk splunk  573 Aug 11 14:50 getTVlogs.sh*
-rwxrw-r-- 1 splunk splunk  687 Aug 11 13:34 json2csv*

default:
total 16
drwxr-xr-x 3 splunk splunk 4096 Aug 11 13:34 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rw-r--r-- 1 splunk splunk  181 Aug 11 13:34 app.conf
drwxr-xr-x 3 splunk splunk 4096 Aug 11 13:34 data/

local:
total 20
drwxr-xr-x 2 splunk splunk 4096 Aug 11 13:34 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rw-r--r-- 1 splunk splunk   55 Aug 11 13:34 app.conf
-rw-rw-r-- 1 splunk splunk  258 Aug 11 13:34 inputs.conf
-rw-rw-r-- 1 splunk splunk  388 Aug 11 13:34 props.conf

logs:
total 16
drwxr-xr-x 2 splunk splunk   4096 Aug 11 14:49 ./
drwxr-xr-x 7 splunk splunk   4096 Aug 11 13:34 ../

metadata:
total 16
drwxr-xr-x 2 splunk splunk 4096 Aug 11 13:34 ./
drwxr-xr-x 7 splunk splunk 4096 Aug 11 13:34 ../
-rw-r--r-- 1 splunk splunk  403 Aug 11 13:34 default.meta
-rw-r--r-- 1 splunk splunk  187 Aug 11 13:34 local.meta

do i need to change something here?

richgalloway · ‎08-11-2022

Any errors in the UF's logs?

---
If this reply helps you, Karma would be appreciated.

pbnl · ‎08-11-2022

no. the only thing i see in the UF's log is, that the app is installed.
all files and folders are created. the monitor is created too:

splunk@srv141:~$ splunk list monitor
Monitored Directories:
        $SPLUNK_HOME/var/log/splunk
        some other directories
Monitored Files:
        $SPLUNK_HOME/etc/apps/PBNL_getTVlogs/logs/TVlogs.csv
        some other files

Why does scripted input not get executed?

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms