- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to troubleshoot why my scripted input on Solar...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to troubleshoot why my scripted input on Solaris is not working?
All,
Not really a SunOS guy, so might be missing something fundamental. I wrote the script I need, and it runs fine as the user I expect it do. Splunk is root and running as root.
Here I have a simple script that echos out some system information for our Splunk ES demo.
#/usr/bin/bash
ip=`/usr/sbin/ifconfig -a | grep -i inet | grep -i 10 | awk '{print $2}'`
mac=`/usr/sbin/ifconfig -a | grep -i ether | head -n 1 | awk '{print $2}'`
nt_host=`hostname`
dns=`nslookup $ip | grep -i name | awk '{print $4}'`
owner="user"
owner_email="user@domain.com"
owner_DL="group@domain.com"
# Lat and long work - default
lat=76.057837
long=-115.214195
# if sjr override the above with sjr lat and long
datacenter=${nt_host:0:3}
if [ $datacenter == "sjr" ]
then
lat=140.5622
long=121.9297
fi
echo "ip=$ip, mac=$mac, nt_host=$nt_host, dns=$dns, owner=$owner, owner_email=$owner_email, owner_DL=$owner_DL, priority=high,lat=$lat,long=$long,city=\"Las Vegas\", country=US, bunit=operations, category=cardholder, pci_domain=\"trust|cardholder\", is_expected=true, should_timesync=true, should_update=true, requires_av=false"
and here is the inputs.conf:
[script://./bin/getinfo.sh]
index=asset_discovery
sourcetype=assets:SunOS
interval=60
This script executes when run locally. I also verified the app runs fine on a LInux machine. I am getting other data from this forwarder. At this point I am out of ideas as to why this scripted input is failing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi daniel333,
Where do you put the script? From my experience so far, you can only use relative path (like your configuration) in inputs.conf when you put the script within the bin folder and specify the inputs.conf in your own app. If you put your script elsewhere, you need to use absolute path to the script.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you looked in the splunk logs on that server to see if there are any errors? Is it trying to run the script at all?
Do you have other scripted inputs on the server too? If not, it might not hurt to try to dumb this down to maybe just an echo to see if you can get that to index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the script is placed in the bin folder as specified here then the only difference might be that you are referring relative path to the script in your inputs.conf stanza. The documentation mentions to use the absolute/full path to the script in the Syntax section. Can you try changing to full path and see if it works.
Also check if there are no execute permission issues by trying chmod 755 absolutepath_to_scriptto resolve execute permission related issues (if any).
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
