I've got a scripted input being called like so (inputs.conf):
[script://./bin/GetFaults.path]
source = ciscoucs:py:Collect.py
sourcetype = ciscoucs:ucsm:fault
index = main
interval = 300
disabled = 0
And GetFaults.path:
$SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/TA-CiscoUcsPy/bin/Collect.py faultInst
However, here is what the ExecProcessor is actually executing:
10-09-2012 23:28:37.443 -0400 INFO ExecProcessor - Ran script: /Applications/splunk/bin/python /Applications/splunk/etc/apps/TA-CiscoUcsPy/bin/Collect.py faultInst -index main, took 53.93 milliseconds to run, 0 bytes read, exited with code 2
My script is exiting because of that "-index main" at the end. Something is appending that string, but I have no idea where it's coming from. The string does not appear in my .conf anywhere. Any ideas?
This is documented in the inputs.conf documentation for version 6.x. There it says in the section describing scripted inputs -> index:
Note: this parameter will be passed as a command-line argument to
in the format: -index . If the script does not need the index info, it can simply ignore this argument.
Apparently this info was missing from the 5.x documentation.
And I just tested on 6.0.2: if the scripted input is started though a .path file the index is appended. If it is started directly (e.g. as a .cmd file) the index is not appended.
I'm calling it a bug because there appears to be no way to configure this surprising behavior. Opened [SPL-56775]. Happy to be proven wrong with a workaround!
I can't explain why this is the case, but obviously Splunk is passing the index you have configured in your inputs.conf for this stanza as a parameter to the script. I can't find any documentation for that behavior (or much information about .path files outside of the inputs.conf docs).
In any case, I'm sure if you change the index name you'll see that reflected. I wonder if leaving it off (it's not necessary here, since main is the default) would prevent it being passed.
I'm not sure why you'd want that information in a script you're running for input, but I suppose you can just add a parameter and ignore it, unless Splunk starts adding other values from your stanza to the command-line.
I'm calling it a bug because there appears to be no way to configure this surprising behavior. Opened [SPL-56775]. Happy to be proven wrong with a workaround!
Reproduced this on my local, but seems to only happen with using a .path
file. If I wire up the scripted input directly to my script, no extra argument.
I really want to understand why it's happening. But yeah, I can take the index= line out of inputs.conf and see if that helps.