I have implemented a python script and it is working fine from command prompt and giving output as "200,0.548236". But when I am running my search from splunk dashboard its not showing any results.
Search command: source="Catalog_Ext-Akamai" earliest=-5m|stats last(StatusCode) as value | rangemap field=value low=200-200 default=severer|script catalog rel02
My commands.conf file and inputs.conf file here:
commands.conf file:
[catalog]
filename = test.py
type = python
inputs.conf file:
[script://$SPLUNK_HOME/etc/apps/search/bin/Catalog_Ext-Akamai.sh] #here we are not passing any args as script running from commands.conf
disabled = 0
index = kohls_synthetic
interval = 300.0
sourcetype = synthetic
source = Catalog_Ext-Akamai
host =
Can someone help me on this.
Thanks.
My Python script just call my shell script which will run actual code and provide the output.
If python script test.py
is calling $SPLUNK_HOME/etc/apps/search/bin/Catalog_Ext-Akamai.sh
then why it's added as scripted input ?
Hi,
We are passing a parameter to shell script and we are unable to pass arguments to inputs.conf file. So implemented a python script to call shell script with arguments. But when we check events, script still picking from inputs.conf instead commands.conf.
Thanks.
I am confused, what you want to achieve ? Do you want to run script, based on output generated by splunk query OR Do you want to run scripted input (Scripted input runs at defined interval and index data in Splunk) ?
If you want to process/send splunk query output then you can use custom command. To create custom command please refer documentation https://docs.splunk.com/Documentation/Splunk/7.2.3/Search/Aboutcustomsearchcommands , Have a look at sample custom command script on this answer https://answers.splunk.com/answers/601523/custom-command-arguments.html so you will get better idea.
My requirement is simple..
I have a dashboard and I want to use the same for multiple environments. So created a dropdown token and passing env as parameter to my shell script.
I am unable to pass my parameter to shell script which is configured in inputs.conf, so the reason created custom python script in commands.conf and calling shell script using python script.
Now python script is working fine and giving the output. but when we query through splunk dashboard its not showing any results as events are still looking for script in inputs.conf.
How about a different solution? If you just want to pass the 'env' to script [ say prod, test, dev], you can run something similar to |rest /services/server/roles splunk_server=local| search splunk_server=* { assuming you have diff Search head for prod/test etc..} you can have a lookup with your SH details classified as dev/prod/test. when the dashboard loads, it can give you the 'env' variable which you can pass to your script.
In your screenshot you have a time range of all time, but in the actual search you include the clause earliest=-5m.
What is returned if you keep the time range as all time, but change your search to
index=kohls_synthetic source="Catalog_Ext-Akamai"
Dave
If we remove script tag from search query its going to inputs.conf file and giving events.
how can we avoid script to go inputs.conf and should go to commands.conf always.
In my case for events it is picking the script from inputs.conf instead of commands.conf
Thanks.
File not found /tmp/splunk/etc/apps/search/bin/.properties -- this is the output as script is expecting the argument from script that is the reason its saying file not found ".properties".
If we pass or hardcode some value for parameter it will work.
"200,0.373956" this is my python script's output.
Now I want to run my python script and with arguments and configure 200 as statuscode and 0.373956 as Responsetime and search for the same in search query.
please find my props.conf here.
[synthetic]
EXTRACT-StatusCode = ^(?P\d+)
EXTRACT-ResponseTime = ^\d+:(?P.+)
EXTRACT-ResponseTime2,Node = ^\d+,(?P[^ ]+) Node="(?P\d+)
EXTRACT-StoreNum = ^(?:[^ \n]* ){5}(?P.+)
EXTRACT-ResponseTime2 = ^\d+,(?P[^ ]+)
EXTRACT-MemHealth = ^\s+"\w+"\s+:\s+\w+,\s+"\w+"\s+:\s+\w+\s+"\w+"\s+:\s+\w+,\s+"\w+"\s+:\s+\w+,\s+"\w+"\s+:\s+(?P\w+)
EXTRACT-CurrentMem = ^\s+"\w+"\s+:\s+"\w+:\s+\w+.\s+\w+:\s+\w+"\s+"\w+"\s+:\s+"\w+\s+\w+"\s+"\w+"\s+:\s+"\w+\s+\w+\s+\d+\s+\w+.\s+\w+\s+\w+\s+(?P[^ ]+)
EXTRACT-ResponseTime3 = ^\d+,(?P\d+.\d+)