I'm trying to so a simple ps for ssh connections from a specific user. I have created a python script
os.system("ps -ef|grep 'sshd: myuser'|wc -l")
I've configured the script in inputs.conf
disabled = false
index = testing
interval = 30 #frequency to run the script, in seconds
source = ssh_myuser
sourcetype = ssh_myuser
However, when I search for "sourcetype=ssh_myuser" I get no results.
@tsheets13 I have converted your comment to answer. Please accept the same to mark this question as answered and assist others facing similar issue.
Search for errors in the _internal Splunk logs:
index=_internal error chkssh.py
If there are no logs in _internal for the script you can also check the local logs on the machine running the script:
On the host running the script, have you verified connectivity to the Splunk endpoint? Firewalls can be brutal.
If you have some more troubleshooting data, please share.