msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_app_stream/bin/deploy_splunk_ta_stream.py " stanza="default" status="exited with code 1"
Error Message appears once every hour. we have splunk enterprise 6.1.2 and splunk app for stream 6.1.
We don't want to disable "confcheck_script_errors" in Settings --> Data Inputs --> Configuration Checker.
We want permanent solution to this problem.
This script should only ever be run once by splunkd at startup. If it's running once per hour, there may be a bug in splunkd's scheduler. I recommend filing a (splunkd, not App for Stream) bug report on that.
All it does is copy the files from $SPLUNK_HOME/etc/apps/splunk_app_stream/install/Splunk_TA_stream into $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/deployment-apps, and creates local/inputs.conf files (copied from default/inputs.conf). As a work-around, you could just perform these steps manually and disable the script by setting disabled=1 in splunk_app_stream's inputs.conf file.
It would be interesting to know why it's failing. Are there any other error messages in your $SPLUNK_HOME/var/log/splunk/stream_installer.log or splunkd.log file located in the same directory?
Hi mdickey_splunk,
I don't see other error in either $SPLUNK_HOME/var/log/splunk/stream_installer.log or splunkd.log.
but one thing i notice in stream_installer.log is some how resetting disable=0 every now and then
[INFO] /home/splunk/etc/apps/splunk_app_stream/install/Splunk_TA_stream was successfully copied to /home/splunk/etc/apps/Splunk_TA_stream
[INFO] created config file (disabled=1): /home/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf
[INFO] /home/splunk/etc/apps/splunk_app_stream/install/Splunk_TA_stream was successfully copied to /home/splunk/etc/deployment-apps/Splunk_TA_stream
[INFO] created config file (disabled=0): /home/splunk/etc/deployment-apps/Splunk_TA_stream/local/inputs.conf
The log entries you included are part of the install process.. when it copies the Splunk_TA_stream directory. It should only include entries for when you first start splunk, and if you already have Splunk_TA_stream installed (and running latest version), it should just have entires saying that it's doing nothing. It should not update Splunk_TA_stream if it's already installed and the latest version (as determined by splunk_app_stream version). Would you send a larger snippet from that log file?
09:05:15,059 [INFO] Splunk App for Stream Dependency Manager: Exiting...
10:41:08,811 [INFO] Splunk App for Stream Dependency Manager: Starting...
10:34:13,787 [INFO] Splunk App for Stream Dependency Manager: Starting...
16:31:39,409 [INFO] Splunk App for Stream Dependency Manager: Starting...
09:14:56,112 [INFO] Splunk App for Stream Dependency Manager: Starting...
09:36:19,720 [INFO] Splunk App for Stream Dependency Manager: Starting...
13:25:15,743 [INFO] Splunk App for Stream Dependency Manager: Starting...
15:05:01,399 [INFO] Splunk App for Stream Dependency Manager: Starting...
16:25:17,324 [INFO] Splunk App for Stream Dependency Manager: Starting...
10:22:36,261 [INFO] Splunk App for Stream Dependency Manager: Starting...
15:30:43,211 [INFO] Splunk App for Stream Dependency Manager: Starting...
14:20:34,908 [INFO] Splunk App for Stream Dependency Manager: Starting...
11:06:50,844 [INFO] Splunk App for Stream Dependency Manager: Starting...
12:18:49,808 [INFO] Splunk App for Stream Dependency Manager: Starting...
11:52:13,863 [INFO] Splunk App for Stream Dependency Manager: Starting...
11:54:49,352 [INFO] Splunk App for Stream Dependency Manager: Starting...
11:56:50,331 [INFO] Splunk App for Stream Dependency Manager: Starting...
15:48:02,104 [INFO] Splunk App for Stream Dependency Manager: Starting...
12:10:38,010 [INFO] Splunk App for Stream Dependency Manager: Starting...
Do you have some non-standard configuration of Splunkd WRT it's REST API endpoints? Non-standard port or something? Maybe a firewall? Every "Starting.." entry should have a corresponding "Exiting" entry and additional entries in between saying what it's doing. The only way I can imagine it only having "Starting..." entries if it's failing to query these endpoints.
On second thought, I'm guess splunkd may be trying to re-run it every hour only because it is failing. That may be expected behavior.