I've noticed after changing the interval setting within the inputs.conf for our various IPS' it still connects to the IPS' every 1 second regardless of what I set the interval to. Is there a reason for it not respecting this value? or is there a setting that I may be missing?
Hey Josh, the SDEE connection module, used by
get_ips_feed.py, has a default 1 second retry on unsuccessful connections. As such, it sounds like it might be a connection issue.
The scripted input writes to log file
$SPLUNK_HOME/var/log/splunk/sdee_get.log which contains status information for the connection. Have you tried checking that to see if there's any information there?
Yeah, I looked into the sdee_get.log initially and it does not report any issues, it shows successful connections to the IPS and then no more repeat messages. When I actually look at the process list on the machine (ps aux), I see the processes constantly running, should this be the case or should I only see them in the process list every X-minutes as they are configured within the inputs.conf
I have the same troubles than you. After a quick look, I think I found the mistake :
File getipsfeed.py :
58 while 1:
I do not know why, but the loop runs forever, there is no exit / break into this loop.
We should ask Splunk why....maybe it's a bug.
A quick and dirty fix, add a break at the end of the loop :
167 ### Commen/Uncomment to write to stdout
168 # print syslog_msg +"\n"
It seems to work for me. Do not forget to change the "interval" option to 60 for example.
Let me know if it works for you too.