Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I see splunk has some ".path" files in windows app bin directory. What are these for?

jrodman
Splunk Employee
Splunk Employee
‎04-16-2010 06:16 PM

The windows app ships with some files that end in .path in the bin directory. How do these work? Is there any particular design goal of these? Can I use this mechanism as a customer?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Justin_Grant
Contributor
‎04-16-2010 08:27 PM

.path files are an optimization which allows Splunk to run scripted inputs which call other programs outside the BIN directory (e.g. Windows Powershell). The .path file contains the command line you want to execute, including both the program you want to run and its command-line parameters. Think of it like a one-line batch file.

More details:

As a security precaution, Splunk will only execute scripted inputs inside an app's BIN directory. This ensures that, in order to run custom code on a Splunk server, an administrator actually has to copy [or create -ed] a file into an app's BIN directory. However, this makes it hard to execute non-Python scripted inputs (e.g. powershell scripts on windows) since those inputs require running an executable which lives outside the BIN directory.

Of course, you could create a one-line BAT or CMD file (or its *nix equivalent) which would simply launch the desired executable. But that's inefficient-- Splunk would be spinning up a new shell process whose whole purpose in life was immediately starting another program. Furthermore, making things worse, when Splunk shuts down it makes it hard to ensure that the "grandchild" process is shut down too.

For this reason, Splunk offers the .path file option, which functions just like a one-line batch file, but doesn't spin up a new process each time which is better for performance and enables cleaner shutdowns.

View solution in original post

Reply
Solved! Jump to solution
Solution

Justin_Grant
Contributor
‎04-16-2010 08:27 PM

.path files are an optimization which allows Splunk to run scripted inputs which call other programs outside the BIN directory (e.g. Windows Powershell). The .path file contains the command line you want to execute, including both the program you want to run and its command-line parameters. Think of it like a one-line batch file.

More details:

As a security precaution, Splunk will only execute scripted inputs inside an app's BIN directory. This ensures that, in order to run custom code on a Splunk server, an administrator actually has to copy [or create -ed] a file into an app's BIN directory. However, this makes it hard to execute non-Python scripted inputs (e.g. powershell scripts on windows) since those inputs require running an executable which lives outside the BIN directory.

Of course, you could create a one-line BAT or CMD file (or its *nix equivalent) which would simply launch the desired executable. But that's inefficient-- Splunk would be spinning up a new shell process whose whole purpose in life was immediately starting another program. Furthermore, making things worse, when Splunk shuts down it makes it hard to ensure that the "grandchild" process is shut down too.

For this reason, Splunk offers the .path file option, which functions just like a one-line batch file, but doesn't spin up a new process each time which is better for performance and enables cleaner shutdowns.

Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-09-2011 01:30 PM

I got it to work in Linux. (I had forgotten to use the absolute path to my executable. Whoops!) However, this STILL caused a shell (/bin/sh -c) process to be launched. See http://splunk-base.splunk.com/answers/28733/scripted-input-without-a-shell

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-09-2011 12:57 PM

think of it as a symbolic link.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-09-2011 12:30 PM

Does this work for platforms other than Windows? (For example, on Linux)

Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...