Hi Good day,
I was trying to run a python script after a saved search has been executed. I have set it up on alerts settings in the search and reports but the script won't run. I have properly include my python script to $SPLUNK_HOME$/bin/scripts folder and make it executable using chmod. There was no logging in splunkd.log that the alert was executed or any errors that occur.
I was experiencing the same issue as crt89. I worked through all the same steps, as well, and finally found the issue was a relative path reference in my .py script, needed to be an absolute path.
myConfig = ET.parse( 'foo.xml' ).getroot()
Needed to be updated to:
myConfig = ET.parse( '$SPLUNK_HOME/bin/scripts/foo.xml' ).getroot()
I was also running the python script via an .sh script to allow me to use python modules not included by splunk. Again, just as crt89 had outlined.
When I had this problem, it was because one of the Python modules for my script failed to import.
The Splunk version of Python has its site-packages location in $SPLUNK_HOME/lib/python2.7/site-packages, but I'd installed my various modules into the regular Python. Try from a shell,
python -c 'import site; print(site.getsitepackages())'
$SPLUNK_HOME/bin/splunk cmd python -c 'import site; print(site.getsitepackages())'
One solution is to use
easy_install --install-dir /path/to/splunk/site-packages . to specifically install each module that failed.
To debug this sort of thing, it's helpful to edit $SPLUNK_HOME/etc/apps/search/bin/runshellscript.py, and replace the line 'p.communicate(input=stdin_data)' with two lines,
pipe = p.communicate(input=stdin_data) logger.info("result: %s", pipe)
which will log any output (error messages, etc) from your script into the Splunk 'python.log' file.
try changing your hash bang path to the one for splunk. Like:
here's what in my run.sh code
here's the a sample entry in my python.log
2014-05-29 17:17:09,608 +0800 INFO runshellscript:188 - runshellscript: ['/bin/bash', '/opt/splunk/bin/scripts/run.sh', '1710', 'my search here', 'test_1', 'Saved Search [test_1] number of events(1710)', 'http://localhost:8000/app/smsgt/@go?sid=scheduler__admin__smsgt__RMD53c4ac00ac374c29b_at_1401355020_...', '', '/opt/splunk/var/run/splunk/dispatch/scheduler_adminsmsgt_RMD53c4ac00ac374c29b_at_1401355020_103/results.csv.gz']
pyhton.log will actually show you if the script is triggered or not. If not it will show you the error why! moreover if you are using arguments to take the csv file path for the search double check if it is the right argument. enable logging for your python script to see if it even going inside it or not
Thanks for the reply MuS, there was no error in python.log it just log as normal, and yes my search hit events. I did also try to run a simple script that outputs text into a file and it was successful so I'm kinda stuck here does my python script was the problem or Splunk. Btw what I was trying to do was my saved search outputs results to csv file while my python script parsed this file and output it to another file that later be indexed by Splunk. So I was thinking that run my script as the saved search also run. Also thinking that my script will run after my saved search has completed.
any errors in python.log? if you 'replace' your script in the alert action with sending email, do you get this - speaking so does your search hit any events?
Update: I did also create a .sh file that will call my python script. My script was fine running in command line but won't execute while using Splunk alerts. I'm using Centos as my os and Splunk 6.0.3 as base. Anyone would like to help?