All Apps and Add-ons

splunk app python script not running

aab5272
Engager

$SPLUNK_HOME/etc/apps/cpp_name/bin/script.py
i have a python script that modify the view .

i assume its not running when i checked the same logic in os-python it works well. In command.conf

filename = script.py
retainsevents = true
overrides_timeorder = false
streaming = true

is there anyhting else i need to do .

Also i tried to check the logs in index="_internal" Error fullpath to script , it doesn't show anythin up there.

can some body help.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try the following

import splunk.mining.dcutils as dcu

logger = dcu.getLogger()

try:
  Your code
except Exception as e:
  logger.error(str(e))

Then run the script and check index=_internal scriptName.py

If that doesn't work, you've probably got a syntax or indentation error. check the search.log in the job inspector. Search it for scriptName.py.

0 Karma

aab5272
Engager

I used your comment but i get th ebelow error i am not sure why

utils/bin/script.py

from splunk.Intersplunk import dcu
07-14-2017 16:14:10.376 ERROR ScriptRunner - stderr from '/productos/pentaho/splunk/bin/python /productos/pentaho/splunk/etc/apps/utils/bin/script.py': from ^ splunk.Intersplunk import dcu
07-14-2017 16:14:10.376 ERROR ScriptRunner - stderr from '/productos/pentaho/splunk/bin/python /productos/pentaho/splunk/etc/apps/utils/bin/script.py': SyntaxError: invalid syntax
07-14-2017 16:14:10.376 ERROR ScriptRunner - extern write error: errno=Broken pipe

from splunk.Intersplunk import dcu

I am not sure whats the syntax error in this . Well your answer helped me in debugging i am getting closed to what i want.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try enabling show all characters in notepad++ and checking for tabs etc.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Also can you show me the exact command/search you are using to execute the code?

0 Karma

aab5272
Engager

index="indexname" | script from the UI

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you post the code?

0 Karma

jkat54
SplunkTrust
SplunkTrust

How does it modify the view?

How are you executing the script within Splunk?

0 Karma

aab5272
Engager

the logs being monitored is in the form of
label=labelname value=actual value
now the script is intended to convert the above into
labelname=actual value at search time.

the python script is inside the app. My props.conf and transform.conf are working fine and the fields are getting extracted.

when i run this from splunk CLI it gives me error at this line

results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
and makes reference to these two function from splunk python library.
/splunk/lib/python2.7/site-packages/splunk/Intersplunk.py"", line 336, in getOrganizedResults
results = readResults(input_str, settings)
File "splunk/lib/python2.7/site-packages/splunk/Intersplunk.py"", line 265, in readResults
line = input_buf.readline()

0 Karma

jkat54
SplunkTrust
SplunkTrust

That error from Splunk cli is due to not having any results in the pipeline.

0 Karma

aab5272
Engager

but i see data being streamed .

How can i fix this ?any idea?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you see my answer below?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...