Getting Data In
Highlighted

Interval not working on script

Builder

We're running a script that's used in the CiscoIPS app to pull event data from our IPS. Initially the interval was set at 1 (should be every 1 second) which was hitting our IPS more than we'd like. We then changed it to 300 (should be every 5 minutes), however after restarting both splunk services, it's still hitting the IPS every second. Any ideas?

Tags (3)
0 Karma
Highlighted

Re: Interval not working on script

Legend

The script used by the Cisco IPS addon is actually running indefinitely once it's been started, so it won't matter what interval you will set for it to run. The timing is performed internally instead. I had a quick look at the script (get_ips_feed.py) and it seems there is no pause between its requests at all - once it's done with one connection it just keeps hammering away with the next.

You could modify the script to sleep at the end of its while loop, one suggestion would be to add a time.sleep(300) after ipsLogger.info(syslog_msg) (line 231).

Highlighted

Re: Interval not working on script

Builder

Thanks for the reply. I'll give it a shot and let you know how it goes.

0 Karma
Highlighted

Re: Interval not working on script

Builder

It didn't affect the script at all. I tried restarting the entire server after implementing it, in case it was still running in memory, but no luck. Any other ideas?

0 Karma
Highlighted

Re: Interval not working on script

Legend

Did you pay attention to the indentation level when you modified the script? Python interprets different indentation levels differently. The time.sleep line should be one level "up" (= less indentation) than the ipsLogger.info line. This should make the script sleep for 300 seconds after each run of its main loop.

You don't need to restart Splunk, scripts are called directly each time they're run rather than being kept in memory.

0 Karma
Highlighted

Re: Interval not working on script

Path Finder

With the release of version 1.1.1 of the Cisco IPS app, you can now specify a polling interval in the inputs.conf. Below is an example that causes the script to wait 30 seconds in between polls of the Cisco IPS appliance. You must be running version 1.1.1 or higher to use this additional option at the end of the script. Changing the "interval" underneath the script command will not affect the polling of the IPS.

[script://$SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py "username" "password" "IPS_IP" "30"]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

View solution in original post

Highlighted

Re: Interval not working on script

Builder

Thanks! I'll be sure to upgrade and give it a shot.

0 Karma
Highlighted

Re: Interval not working on script

Builder

Worked like a champ - thanks for the update.

0 Karma