Developing for Splunk Enterprise

Is there a way to schedule a Python Script from Splunk?

markdflip
Path Finder

I currently have a Python script calling an API and returning the results to Splunk. I can use the |script command in Splunk and the Python script works as expected. I have a dashboard built on the underlying data, which is pretty small in volume.

Is there a way to schedule this script to be called within Splunk? Is the saved search the best way to go about calling the |script command?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could turn your script into a scripted input, and run that on a schedule either by interval or cron.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could turn your script into a scripted input, and run that on a schedule either by interval or cron.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Search for index=_internal jira_wrapper_script to find infos about the script running.

For a simplified example, try something like this:

test.sh (set x bit with chmod!):

#!/bin/sh
echo Hello

inputs.conf

[script://./bin/test.sh]
interval, index, etc.

This should send an event containing just the word Hello to the index, sourcetype, etc. you specified in the inputs.conf.

0 Karma

markdflip
Path Finder

Hmmm, it seems my scripting skills are below par. I set up the monitoring of the python script directly through the UI and it worked flawlessly. Shell script didn't turn out as well.

Turns out there was some issue with the actual sh file. The below shell script worked for anyone stumbling upon this page.

shell script

 #!/bin/bash
python "C:/Program Files/Splunk/etc/apps/my_app_name/bin/jira_rest_api.py"

Martin - thank you for your help.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

markdflip
Path Finder

I tried going down the path of scripted inputs, to pretty bad results. I added the .sh script to inputs.conf, but there is no reference to the script anywhere in the logs. Is there a way to check if the script is being triggered at all?

[script://$SPLUNK_HOME/etc/apps/my_app/bin/jira_wrapper_script.sh]
disabled = false # change to false to start the input, requires restart
host = local
index = jira_test
interval = 240 
source = http-simple
sourcetype = jira

[script://$SPLUNK_HOME/etc/apps/my_app/bin/jira_rest_api.py]
disabled = false # change to false to start the input, requires restart
host = local
index = jira_test
interval = 240
source = http-simple
sourcetype = jira

I am not surprised that the shell script may not work, since I have never written one before. I did expect to see error messages somewhere.

0 Karma

markdflip
Path Finder

Do I need to create a .sh file that calls the .py file?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!