All Apps and Add-ons

msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_app_stream/bin/deploy_splunk_ta_stream.py " stanza="default" status="exited with code 1"

0waste_splunk
Communicator

msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_app_stream/bin/deploy_splunk_ta_stream.py " stanza="default" status="exited with code 1"

Error Message appears once every hour. we have splunk enterprise 6.1.2 and splunk app for stream 6.1.

We don't want to disable "confcheck_script_errors" in Settings --> Data Inputs --> Configuration Checker.
We want permanent solution to this problem.

mdickey_splunk
Splunk Employee
Splunk Employee

This script should only ever be run once by splunkd at startup. If it's running once per hour, there may be a bug in splunkd's scheduler. I recommend filing a (splunkd, not App for Stream) bug report on that.

All it does is copy the files from $SPLUNK_HOME/etc/apps/splunk_app_stream/install/Splunk_TA_stream into $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/deployment-apps, and creates local/inputs.conf files (copied from default/inputs.conf). As a work-around, you could just perform these steps manually and disable the script by setting disabled=1 in splunk_app_stream's inputs.conf file.

It would be interesting to know why it's failing. Are there any other error messages in your $SPLUNK_HOME/var/log/splunk/stream_installer.log or splunkd.log file located in the same directory?

0 Karma

0waste_splunk
Communicator

Hi mdickey_splunk,

I don't see other error in either $SPLUNK_HOME/var/log/splunk/stream_installer.log or splunkd.log.

but one thing i notice in stream_installer.log is some how resetting disable=0 every now and then

 [INFO] /home/splunk/etc/apps/splunk_app_stream/install/Splunk_TA_stream was successfully copied to /home/splunk/etc/apps/Splunk_TA_stream
 [INFO] created config file (disabled=1): /home/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf
 [INFO] /home/splunk/etc/apps/splunk_app_stream/install/Splunk_TA_stream was successfully copied to /home/splunk/etc/deployment-apps/Splunk_TA_stream
 [INFO] created config file (disabled=0): /home/splunk/etc/deployment-apps/Splunk_TA_stream/local/inputs.conf
0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

The log entries you included are part of the install process.. when it copies the Splunk_TA_stream directory. It should only include entries for when you first start splunk, and if you already have Splunk_TA_stream installed (and running latest version), it should just have entires saying that it's doing nothing. It should not update Splunk_TA_stream if it's already installed and the latest version (as determined by splunk_app_stream version). Would you send a larger snippet from that log file?

0 Karma

0waste_splunk
Communicator
 09:05:15,059 [INFO] Splunk App for Stream Dependency Manager: Exiting...
 10:41:08,811 [INFO] Splunk App for Stream Dependency Manager: Starting...
 10:34:13,787 [INFO] Splunk App for Stream Dependency Manager: Starting...
 16:31:39,409 [INFO] Splunk App for Stream Dependency Manager: Starting...
 09:14:56,112 [INFO] Splunk App for Stream Dependency Manager: Starting...
 09:36:19,720 [INFO] Splunk App for Stream Dependency Manager: Starting...
 13:25:15,743 [INFO] Splunk App for Stream Dependency Manager: Starting...
 15:05:01,399 [INFO] Splunk App for Stream Dependency Manager: Starting...
 16:25:17,324 [INFO] Splunk App for Stream Dependency Manager: Starting...
 10:22:36,261 [INFO] Splunk App for Stream Dependency Manager: Starting...
 15:30:43,211 [INFO] Splunk App for Stream Dependency Manager: Starting...
 14:20:34,908 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:06:50,844 [INFO] Splunk App for Stream Dependency Manager: Starting...
 12:18:49,808 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:52:13,863 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:54:49,352 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:56:50,331 [INFO] Splunk App for Stream Dependency Manager: Starting...
 15:48:02,104 [INFO] Splunk App for Stream Dependency Manager: Starting...
 12:10:38,010 [INFO] Splunk App for Stream Dependency Manager: Starting...
0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

Do you have some non-standard configuration of Splunkd WRT it's REST API endpoints? Non-standard port or something? Maybe a firewall? Every "Starting.." entry should have a corresponding "Exiting" entry and additional entries in between saying what it's doing. The only way I can imagine it only having "Starting..." entries if it's failing to query these endpoints.

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

On second thought, I'm guess splunkd may be trying to re-run it every hour only because it is failing. That may be expected behavior.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...