All Apps and Add-ons

Why is Linux script data showing the correct output but not getting correct data?

SK2
Loves-to-Learn

Configured the script based app for the databases which brings the data as follows. As mentioned below. 

When I am running the script at UF corrected expeced output. But when I push an application containg the same script it is fetching me different output.

Expected data after running the script in the UF is as below. 
Date, datname="sql", age="00:00:00"

Output we are receiving at splunk SH is like below. 
Date, datname="datname", age="age"

The script is kept in the location -> /opt/splunkforwarder/etc/apps/appname/bin - scripts  and /opt/splunkforwarder/etc/apps/appname/local - inputs.conf

For troubleshooting I have followed below steps. 
Removed and Pushed the app again
Tried restarting the UF

Can any one know or faced similar issue.
Please help me on this. 

Labels (3)
Tags (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

you could debug it with "splunk" user with next command

splunk cmd /opt/splunkforwarder/etc/apps/appname/bin - scripts

This is the way how it has ran as scripted input.

r. Ismo 

0 Karma

shivanshu1593
Builder

Oddly enough your script is messing up while writing the output to stdout. Can you try by outputting the data in a txt file and monitor that txt file and see what results you get, instead of trying to write it to stdout or share a snippet of your script.

++If this helps, please consider accepting as an solution++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Whether you're managing complex deployments or looking to future-proof your data infrastructure, this session ...