Splunk Dev

Custom Python script not working for splunk eventsI

vijayakrishna
New Member

I have implemented a python script and it is working fine from command prompt and giving output as "200,0.548236". But when I am running my search from splunk dashboard its not showing any results.

Search command: source="Catalog_Ext-Akamai" earliest=-5m|stats last(StatusCode) as value | rangemap field=value low=200-200 default=severer|script catalog rel02

My commands.conf file and inputs.conf file here:

commands.conf file:
[catalog]
filename = test.py
type = python

inputs.conf file:
[script://$SPLUNK_HOME/etc/apps/search/bin/Catalog_Ext-Akamai.sh] #here we are not passing any args as script running from commands.conf
disabled = 0
index = kohls_synthetic
interval = 300.0
sourcetype = synthetic
source = Catalog_Ext-Akamai
host =

Can someone help me on this.

Thanks.
splunk

Tags (3)
0 Karma

vijayakrishna
New Member

My Python script just call my shell script which will run actual code and provide the output.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If python script test.py is calling $SPLUNK_HOME/etc/apps/search/bin/Catalog_Ext-Akamai.sh then why it's added as scripted input ?

0 Karma

vijayakrishna
New Member

Hi,
We are passing a parameter to shell script and we are unable to pass arguments to inputs.conf file. So implemented a python script to call shell script with arguments. But when we check events, script still picking from inputs.conf instead commands.conf.

Thanks.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I am confused, what you want to achieve ? Do you want to run script, based on output generated by splunk query OR Do you want to run scripted input (Scripted input runs at defined interval and index data in Splunk) ?

If you want to process/send splunk query output then you can use custom command. To create custom command please refer documentation https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Aboutcustomsearchcommands , Have a look at sample custom command script on this answer https://answers.splunk.com/answers/601523/custom-command-arguments.html so you will get better idea.

0 Karma

vijayakrishna
New Member

My requirement is simple..
I have a dashboard and I want to use the same for multiple environments. So created a dropdown token and passing env as parameter to my shell script.

I am unable to pass my parameter to shell script which is configured in inputs.conf, so the reason created custom python script in commands.conf and calling shell script using python script.

Now python script is working fine and giving the output. but when we query through splunk dashboard its not showing any results as events are still looking for script in inputs.conf.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

How about a different solution? If you just want to pass the 'env' to script [ say prod, test, dev], you can run something similar to |rest /services/server/roles splunk_server=local| search splunk_server=* { assuming you have diff Search head for prod/test etc..} you can have a lookup with your SH details classified as dev/prod/test. when the dashboard loads, it can give you the 'env' variable which you can pass to your script.

0 Karma

RHASQaL
Path Finder

In your screenshot you have a time range of all time, but in the actual search you include the clause earliest=-5m.

What is returned if you keep the time range as all time, but change your search to

index=kohls_synthetic source="Catalog_Ext-Akamai"

Dave

0 Karma

vijayakrishna
New Member

If we remove script tag from search query its going to inputs.conf file and giving events.

0 Karma

vijayakrishna
New Member

how can we avoid script to go inputs.conf and should go to commands.conf always.
In my case for events it is picking the script from inputs.conf instead of commands.conf

Thanks.

0 Karma

vijayakrishna
New Member

File not found /tmp/splunk/etc/apps/search/bin/.properties -- this is the output as script is expecting the argument from script that is the reason its saying file not found ".properties".

If we pass or hardcode some value for parameter it will work.

0 Karma

vijayakrishna
New Member

"200,0.373956" this is my python script's output.
Now I want to run my python script and with arguments and configure 200 as statuscode and 0.373956 as Responsetime and search for the same in search query.
please find my props.conf here.
[synthetic]
EXTRACT-StatusCode = ^(?P\d+)
EXTRACT-ResponseTime = ^\d+:(?P.+)
EXTRACT-ResponseTime2,Node = ^\d+,(?P[^ ]+) Node="(?P\d+)
EXTRACT-StoreNum = ^(?:[^ \n]* ){5}(?P.+)
EXTRACT-ResponseTime2 = ^\d+,(?P[^ ]+)
EXTRACT-MemHealth = ^\s+"\w+"\s+:\s+\w+,\s+"\w+"\s+:\s+\w+\s+"\w+"\s+:\s+\w+,\s+"\w+"\s+:\s+\w+,\s+"\w+"\s+:\s+(?P\w+)
EXTRACT-CurrentMem = ^\s+"\w+"\s+:\s+"\w+:\s+\w+.\s+\w+:\s+\w+"\s+"\w+"\s+:\s+"\w+\s+\w+"\s+"\w+"\s+:\s+"\w+\s+\w+\s+\d+\s+\w+.\s+\w+\s+\w+\s+(?P[^ ]+)
EXTRACT-ResponseTime3 = ^\d+,(?P\d+.\d+)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...