Getting Data In

Capture data from scripted input

tsheets13
Communicator

I'm trying to so a simple ps for ssh connections from a specific user. I have created a python script

! /usr/bin/python

import os
os.system("ps -ef|grep 'sshd: myuser'|wc -l")

I've configured the script in inputs.conf

[script://$SPLUNK_HOME/etc/apps/CheckSSH/bin/chkssh.py]
disabled = false
index = testing
interval = 30 #frequency to run the script, in seconds
source = ssh_myuser
sourcetype = ssh_myuser

However, when I search for "sourcetype=ssh_myuser" I get no results.

ideas?

0 Karma
1 Solution

tsheets13
Communicator

Sure enough, it didn't like the comment in the interval declaration in inputs.conf.
Working great now. Thanks

View solution in original post

0 Karma

tsheets13
Communicator

Sure enough, it didn't like the comment in the interval declaration in inputs.conf.
Working great now. Thanks

View solution in original post

0 Karma

niketnilay
Legend

@tsheets13 I have converted your comment to answer. Please accept the same to mark this question as answered and assist others facing similar issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mydog8it
Builder

Search for errors in the _internal Splunk logs:

index=_internal error chkssh.py

If there are no logs in _internal for the script you can also check the local logs on the machine running the script:

$SPLUNK_HOME/var/log/splunk/

On the host running the script, have you verified connectivity to the Splunk endpoint? Firewalls can be brutal.

If you have some more troubleshooting data, please share.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!