Deployment Architecture

Script placed in SH Pool .../SH_POOL/etc/apps/search/bin/ directory is not found by Splunk.

the_wolverine
Champion

I have a script the location specified above which is the SH Pool. The SH Pool is configured and working in all other aspects. However, the script can not be located by Splunk and I see the following error:

04-11-2013 19:15:27.782 +0000 ERROR script - command="runshellscript", Cannot find script at /opt/splunk/bin/scripts/myscript.sh

As a workaround, I have moved a copy of the script to the local directory on each search head.

0 Karma
1 Solution

the_wolverine
Champion

Turns out the issue was with the location of that script. I moved the script to SH_POOL/etc/apps/search/bin/scripts/ and it is working now.

View solution in original post

the_wolverine
Champion

Turns out the issue was with the location of that script. I moved the script to SH_POOL/etc/apps/search/bin/scripts/ and it is working now.

LukeMurphey
Champion

I wondered if the path was just wrong. That makes sense now. Thanks for posting the solution.

0 Karma

the_wolverine
Champion

There is no path to input. I'm placing the script in the path I have specified above. Then I'm specifying the name of that script in the field provided by Splunk UI.

0 Karma

LukeMurphey
Champion

Are you using the absolute path to the shared storage location?

0 Karma

the_wolverine
Champion

The script is a simple bash script that is triggered by scheduled search.

0 Karma

LukeMurphey
Champion

What is the purpose of the script? The solution is a little different based on what the script is intended to do.

0 Karma

LukeMurphey
Champion

If your script is referenced using a path based on $SPLUNK_HOME, then it won't work on search head pooling because the $SPLUNK_HOME variable won't point to the shared storage location. Make the path relative and it should work. See below for an example of a inputs.conf entry:

This won't work on search-head pooling :

[script://$SPLUNK_HOME/etc/apps/someapp/bin/myscript.sh]
disabled = false
interval = 0 0 * * 3

This will work on search-head pooling:

[script://./bin/myscript.sh]
disabled = false
interval = 0 0 * * 3

From what I can tell, your are using runshellscript which is no longer supported by Splunk. There might be a better way to execute your script using supported solutions that work with search-head pooling.

0 Karma

LukeMurphey
Champion

When you use a relative path, does Splunk list the absolute path in the error message? I'm curious as to why Splunk isn't converting that to the path on the shared storage where the script presumably is. Also, what happens if you use an absolute path to the script on the shared storage location?

0 Karma

LukeMurphey
Champion

Ah, I gotcha. So your not using runshellcommand directly, Splunk is using it for you. That makes more sense. That should be supported. Direct use of that command is not (which I incorrectly thought you were doing).

0 Karma

the_wolverine
Champion

I'm curious. What other supported solution for what I'm trying do might exist? I'm triggering a script using a scheduled search and inputing the script name in the field provided in Splunk UI for such script.

0 Karma

LukeMurphey
Champion

@the_wolverine: You'll need to use the absolute path to the shared storage location or a relative path. The original question indicated that $SPLUNK_HOME was used and this won't work. The point of the example was to illustrate incorrect versus correct path usage.

0 Karma

the_wolverine
Champion

That was a bad example. I use relative path in my script. The runshellcommand is used by Splunk when a script is triggered via scheduled search.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...