Getting Data In

Script input troubleshoot

tamduong16
Contributor

Hi, I am trying to index from my python script. I followed the steps in this page to setup my data: http://docs.splunk.com/Documentation/Splunk/latest/Data/Getdatafromscriptedinputs#Add_a_scripted_inp...

I don't know why I tried the followings without it working:
- Placed the python script in these files ($SPLUNK_HOME/etc/system/bin and $SPLUNK_HOME/etc/apps/search/bin)
- write a stanza in inputs.conf (tried both $SPLUNK_HOME/etc/system/local folder and $SPLUNK_HOME/etc/apps/search/local folder)
- also wrote a stanza for props.conf in $SPLUNK_HOME/etc/system/local folder
- restart the splunkd

I followed steps in the documentation and also tested the scripts in command line. I still don't know what am i missing here. This is my input.conf stanza:
[script://C:\Program Files\Splunk\etc\system\bin]
disabled = 0
host = ABC
index = report
interval = -1
source = reportA
sourcetype = report_json

Thanks for the help!

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Here is what i would do:

  1. Place your Python file in $SPLUNK_HOME/etc/apps/search/local/bin
  2. Create/edit $SPLUNK_HOME/etc/apps/search/local/inputs

Here are the contents of inputs.conf:

[script://.\bin\myScript.py]
interval = -1 # or some other interval
# any other settings

View solution in original post

jconger
Splunk Employee
Splunk Employee

Here is what i would do:

  1. Place your Python file in $SPLUNK_HOME/etc/apps/search/local/bin
  2. Create/edit $SPLUNK_HOME/etc/apps/search/local/inputs

Here are the contents of inputs.conf:

[script://.\bin\myScript.py]
interval = -1 # or some other interval
# any other settings

tamduong16
Contributor

I added a bin folder in that directory but i don't have it working 😞

0 Karma

jconger
Splunk Employee
Splunk Employee

An interval of -1 tells Splunk to run the script at start up. Have you restarted?

How are you testing this? Are you running a search on your report index (as specified in your example inputs.conf)?

Also, I'm making assumptions on your Python code. Whatever goes to STDOUT (the screen when run from the command line) should show up in Splunk.

Do you see any errors in your internal index using the following search:

index=_internal sourcetype=splunkd

tamduong16
Contributor

You are right. I could see an error as below:
ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\search\bin\REV_API_viewerreport.py"" python: can't open file 'C:\Program Files\Splunk\etc\apps\search\bin\REV_API_viewerreport.py': [Errno 2] No such file or directory.

I do have my python script in that directory. Why does it state no such file?
I used command line to run the script and I could see the changes in the index. But when I start to put the script in Splunk it doesn't work. Thanks!

0 Karma

jconger
Splunk Employee
Splunk Employee

What does your inputs.conf look like now?

0 Karma

tamduong16
Contributor

@jconger
I found out where the problem is. I have to remove the . infront of .\bin\myscript.py. But I ran into another problem with ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\system\bin\REV_API_viewerreport.py"" ImportError: No module named splunklib.client.
I tried to play the splunklib packages inside bin but it still dispay the same error. How can I fix this error?

0 Karma

jconger
Splunk Employee
Splunk Employee

You will need to put any dependencies in your bin directory too. splunklib.client is in the Splunk Python SDK. You can download it here -> http://dev.splunk.com/python. Copy the splunklib folder into your bin folder.

0 Karma

tamduong16
Contributor

@jconger
I don't have a bin folder in that directory. Do I just create a bin folder?

0 Karma

jconger
Splunk Employee
Splunk Employee

Yes, just create a bin folder

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...