Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Scripted Input timeout
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hypothetically, if I have a scripted input that takes 6 minutes to run, and I execute it every 5 minutes, what should I expect to happen?
a) Splunk will kill the first one before starting the second one.
b) Splunk will run the first one and wait until it finishes to start the next one.
c) Splunk will kick off the first one, and then kick off the second one, leaving 2 threads running for 1 minute.
I'm just curious as I didn't see a script timeout option. I did see that some folks have scripts that run "forever" and provide input the entire time. Which is an option for me, but wanted to know how Splunk prefers to work.
Thanks,
Paul
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And the answer is...
"B" ... Splunk will run the first one and wait until it finishes to start the next one.
I would suggest, you (as you mentioned) have a script that will loop itself and run forever, you can then set the interval = -1 option in your inputs.conf file.
OR
You could implement some kind of timeout factor into your script incase your script "hangs" or takes longer than expected.
Regards,
MHibbin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And the answer is...
"B" ... Splunk will run the first one and wait until it finishes to start the next one.
I would suggest, you (as you mentioned) have a script that will loop itself and run forever, you can then set the interval = -1 option in your inputs.conf file.
OR
You could implement some kind of timeout factor into your script incase your script "hangs" or takes longer than expected.
Regards,
MHibbin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my understanding is... and this is only from my experience of long-running scripts, which hasn't extensively been tested..
A scripted input will try to run from the time Splunk creates an "ExecProcessor" for that script at start-up, e.g:
06-17-2012 16:06:54.644 +0100 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/search/bin/script.py
06-17-2012 16:06:54.644 +0100 INFO ExecProcessor - interval: 60000 ms
So in this extract from splunkd.log you can see my script will try to run every 60 seconds from 16:06:54.644. If my script takes 61 seconds...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, that was kind of what I thought. So does the interval time, say 5 minutes, start from the time that the last execution ended? Or does Splunk think that it needs to run again immediately because it missed the last time?
My choice is to have Splunk run a database dumper executable on a timed interval, or have a Windows Service run continuously and do all of the work and just have Splunk read its output.
Paul
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
