Getting Data In

ExecProcessor appends "-index main" to end of scripted input command-line

halr9000
Motivator

I've got a scripted input being called like so (inputs.conf):

[script://./bin/GetFaults.path]
source = ciscoucs:py:Collect.py
sourcetype = ciscoucs:ucsm:fault
index = main
interval = 300
disabled = 0

And GetFaults.path:

$SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/TA-CiscoUcsPy/bin/Collect.py faultInst

However, here is what the ExecProcessor is actually executing:

10-09-2012 23:28:37.443 -0400 INFO  ExecProcessor - Ran script: /Applications/splunk/bin/python /Applications/splunk/etc/apps/TA-CiscoUcsPy/bin/Collect.py faultInst -index main, took 53.93 milliseconds to run, 0 bytes read, exited with code 2

My script is exiting because of that "-index main" at the end. Something is appending that string, but I have no idea where it's coming from. The string does not appear in my .conf anywhere. Any ideas?

helge
Builder

This is documented in the inputs.conf documentation for version 6.x. There it says in the section describing scripted inputs -> index:

Note: this parameter will be passed as a command-line argument to in the format: -index . If the script does not need the index info, it can simply ignore this argument.

Apparently this info was missing from the 5.x documentation.

And I just tested on 6.0.2: if the scripted input is started though a .path file the index is appended. If it is started directly (e.g. as a .cmd file) the index is not appended.

halr9000
Motivator

I'm calling it a bug because there appears to be no way to configure this surprising behavior. Opened [SPL-56775]. Happy to be proven wrong with a workaround!

0 Karma

Jaykul
Explorer

I can't explain why this is the case, but obviously Splunk is passing the index you have configured in your inputs.conf for this stanza as a parameter to the script. I can't find any documentation for that behavior (or much information about .path files outside of the inputs.conf docs).

In any case, I'm sure if you change the index name you'll see that reflected. I wonder if leaving it off (it's not necessary here, since main is the default) would prevent it being passed.

I'm not sure why you'd want that information in a script you're running for input, but I suppose you can just add a parameter and ignore it, unless Splunk starts adding other values from your stanza to the command-line.

halr9000
Motivator

I'm calling it a bug because there appears to be no way to configure this surprising behavior. Opened [SPL-56775]. Happy to be proven wrong with a workaround!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Reproduced this on my local, but seems to only happen with using a .path file. If I wire up the scripted input directly to my script, no extra argument.

0 Karma

halr9000
Motivator

I really want to understand why it's happening. But yeah, I can take the index= line out of inputs.conf and see if that helps.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...