Getting Data In

Why am I receiving "error code 1" trying to run a PHP script with the script command?

redc
Builder

Maybe I'm blowing smoke, but as I understand it, you can use PHP scripts with the "script" command. This is preferable for us because most of our developers are PHP programmers, NOT Python programmers.

We're in the process of developing our first PHP script and every time we try to run it, we get External search command 'my-php-script' returned error code 1.

This is the search we're running:
| script my-php-script

The purpose of the script will be to fetch a file from a given location on our SAN device (which is accessible from our Splunk server via mounted location) for use as a lookup (short answer to "why": we don't want all-and-sundry uploading lookup files to /opt/splunk/etc/apps/[their app]/lookups because it clutters things up and consumes Splunk server disk space).

I can't find any errors in /opt/splunk/var/log/splunk

I tried copying the PHP script to /opt/splunk/bin and running ./splunk cmd my-php-script.php and I get the error, couldn't run "/opt/splunk/bin/my-php-script.php": Exec format error To my unpracticed eye, this suggests that it's not able to run PHP scripts and that we really are stuck with Python.

Am I missing something, or am I completely wrong about being able to run PHP commands this way?

NOTE: we are running Splunk in a Linux environment; the server has PHP 5.4 installed on it.

Tags (3)
0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

First: http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

Second: According to the documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Script , you are "stuck" with Python if you are going to use the "script" search command.

Third: If you really wanted to use PHP, I would recommend to create an "External Lookup" that will do exactly what you want. However, you must first write a python wrapper that executes the php, and returns the output correctly to the python, which returns it to Splunk. EDIT: Adding Reference for External Lookup config: http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Addfieldsfromexternaldatasources#Externa...

Fourth: Use a Splunk Lookup. This IS NOT supported, but you could create a Splunk App in $SPLUNK_HOME/etc/apps, create the lookups folder, define the lookup and the "ln -s here toThere" the lookup file. I wouldn't do it, but might work.

EDIT:
Fifth (but should be fourth - too lazy to renumber): You can rsync only the files you want to be used in lookups to the aforementioned "Lookup App", instead of a sym link. Keeps the users from "randomly uploading" and keeps control of lookups with you, the admin. Only those in the rsync script get sent to the Splunk file system. I have a dedicated app (SA-lookups) that has most of our custom lookups. This app gets rsynced to all indexers and search heads. Then you don't have to send the bundles across with massive lookups in it.

P.S.S: Also, I recently found this:https://www.youtube.com/watch?v=o0u4M6vppCI . I can't stop watching it and that scares me. Enjoy.

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

First: http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

Second: According to the documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Script , you are "stuck" with Python if you are going to use the "script" search command.

Third: If you really wanted to use PHP, I would recommend to create an "External Lookup" that will do exactly what you want. However, you must first write a python wrapper that executes the php, and returns the output correctly to the python, which returns it to Splunk. EDIT: Adding Reference for External Lookup config: http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Addfieldsfromexternaldatasources#Externa...

Fourth: Use a Splunk Lookup. This IS NOT supported, but you could create a Splunk App in $SPLUNK_HOME/etc/apps, create the lookups folder, define the lookup and the "ln -s here toThere" the lookup file. I wouldn't do it, but might work.

EDIT:
Fifth (but should be fourth - too lazy to renumber): You can rsync only the files you want to be used in lookups to the aforementioned "Lookup App", instead of a sym link. Keeps the users from "randomly uploading" and keeps control of lookups with you, the admin. Only those in the rsync script get sent to the Splunk file system. I have a dedicated app (SA-lookups) that has most of our custom lookups. This app gets rsynced to all indexers and search heads. Then you don't have to send the bundles across with massive lookups in it.

P.S.S: Also, I recently found this:https://www.youtube.com/watch?v=o0u4M6vppCI . I can't stop watching it and that scares me. Enjoy.

redc
Builder

Pfff. I was afraid that was going to be the case.

I could swear I read somewhere that you could use PHP scripts instead of Python, though. Different mechanism, maybe?

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

As long as it is properly wrapped, you can use php. I think specifically, was the script inputs. You can write a "cmd" file to monitor input, and then that has a single line with "/your/php /your/php/script.php" that executes and returns the output. Please accept if this answers your question. (Shia LaBeouf).

0 Karma

gesman
Communicator

Try to adjust command line to run your script as a command line to PHP interpreter (adjust path for your environment):
/usr/local/bin/php /opt/splunk/bin/my-php-script.php

0 Karma

redc
Builder

When I do that, I get:

Script running from unexpected location '/opt/splunk/bin/my-php-script.php'

We are running Splunk under its OWN user (not under the root user), we could have some sort of permissions issue going on, perhaps (though I'm not sure where to start looking).

We tried to add debug to the script to have it write output to its local file, and when running the script, we get:

PHP Warning: file_put_contents(/my-php-script_log.txt): failed to open stream: Permission denied in /opt/splunk/bin/my-php-script.php on line 8

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...