Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Python scripts invoked by the Splunk Forwarder never exit

alekksi
Communicator
‎06-04-2014 08:35 AM

Hi guys,

I'm using the Splunk Universal Forwarder (v5.0.3 - same as our Splunk enterprise; hopefully we are updating to 6.1 soon) to invoke python scripts which pull data from a specific source and output it over stdout to Splunk.

Currently the scripts seem to never end. They sit there in perpetuity without ever finishing. Below is the ps -ef of the running script, fifteen minutes after execution.

root 12360 12332 0 14:47 ? 00:00:00 python /opt/splunkforwarder/etc/apps/PerfStat/bin/perfStatImpl.py

Script is relatively straightforward, but here is a pared down version, removing unnecessary code:

try:

    [...]

    command = Popen(my_object.getCommand(),shell=True, stdout=PIPE)

    my_parse = sarparser.sarParser(argv[1], sar_gen.getDate())

    my_parse.parse(command)

    my_parse.output()

except:

    [...]

    exit(2)

exit(0)

Does anyone have any ideas? I've had this process (non-)running for almost an hour now, yet nothing has been output to Splunk! I can tell the script has completed as the log files have fully completed.

Tags (3)
0 Karma
Reply

alekksi
Communicator
‎06-11-2014 04:37 AM

Resolved now -- forwarder had some dodgy config (I blame ITSec 🙂 and splunk was crapping out accepting the amount of data I was throwing at it. Fixing the config and reducing the amount of data at one time sorted this out.

0 Karma
Reply

lguinn2
Legend
‎06-04-2014 01:27 PM

Here are a couple of ideas:

1 - what happens if you simply execute the script from the command line?

cd $SPLUNK_HOME/etc/apps/yourapp/bin
./yourscript.py

2 - what happens if you ask Splunk to execute the script in its environment?

cd $SPLUNK_HOME/bin
./splunk cmd $SPLUNK_HOME/etc/apps/yourapp/bin/yourscript.py

My guess is that it will hang in one of those two scenarios as well, but this should help you debug.

Reply

alekksi
Communicator
‎06-06-2014 03:15 AM

Turns out that Splunk is taking issue with the amount of data I'm feeding it at once. It processes ~7-10 thousand lines before it just gives up on it.

0 Karma
Reply

alekksi
Communicator
‎06-05-2014 07:55 AM

Thanks for the ideas. Unfortunately both of them return the expected output. Even the process spawned by splunk for the script has the correct string which works if run. I've even rewritten the script slightly to use the .communicate() function which apparently reduces potential deadlocks.

Very confused.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...