Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ExecProcessor appends "-index main" to end of scripted input command-line

halr9000
Motivator
‎10-09-2012 08:37 PM

I've got a scripted input being called like so (inputs.conf):

[script://./bin/GetFaults.path]
source = ciscoucs:py:Collect.py
sourcetype = ciscoucs:ucsm:fault
index = main
interval = 300
disabled = 0

And GetFaults.path:

$SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/TA-CiscoUcsPy/bin/Collect.py faultInst

However, here is what the ExecProcessor is actually executing:

10-09-2012 23:28:37.443 -0400 INFO  ExecProcessor - Ran script: /Applications/splunk/bin/python /Applications/splunk/etc/apps/TA-CiscoUcsPy/bin/Collect.py faultInst -index main, took 53.93 milliseconds to run, 0 bytes read, exited with code 2

My script is exiting because of that "-index main" at the end. Something is appending that string, but I have no idea where it's coming from. The string does not appear in my .conf anywhere. Any ideas?

Reply

helge
Builder
‎02-24-2014 01:17 PM

This is documented in the inputs.conf documentation for version 6.x. There it says in the section describing scripted inputs -> index:

Note: this parameter will be passed as a command-line argument to in the format: -index . If the script does not need the index info, it can simply ignore this argument.

Apparently this info was missing from the 5.x documentation.

And I just tested on 6.0.2: if the scripted input is started though a .path file the index is appended. If it is started directly (e.g. as a .cmd file) the index is not appended.

Reply

halr9000
Motivator
‎10-10-2012 07:24 AM

I'm calling it a bug because there appears to be no way to configure this surprising behavior. Opened [SPL-56775]. Happy to be proven wrong with a workaround!

0 Karma
Reply

Jaykul
Explorer
‎10-09-2012 09:08 PM

I can't explain why this is the case, but obviously Splunk is passing the index you have configured in your inputs.conf for this stanza as a parameter to the script. I can't find any documentation for that behavior (or much information about .path files outside of the inputs.conf docs).

In any case, I'm sure if you change the index name you'll see that reflected. I wonder if leaving it off (it's not necessary here, since main is the default) would prevent it being passed.

I'm not sure why you'd want that information in a script you're running for input, but I suppose you can just add a parameter and ignore it, unless Splunk starts adding other values from your stanza to the command-line.

Reply

halr9000
Motivator
‎10-10-2012 07:25 AM

I'm calling it a bug because there appears to be no way to configure this surprising behavior. Opened [SPL-56775]. Happy to be proven wrong with a workaround!

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-09-2012 09:20 PM

Reproduced this on my local, but seems to only happen with using a .path file. If I wire up the scripted input directly to my script, no extra argument.

0 Karma
Reply

halr9000
Motivator
‎10-09-2012 09:09 PM

I really want to understand why it's happening. But yeah, I can take the index= line out of inputs.conf and see if that helps.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...