Getting Data In

Why is my bash scripted input failing on Ubuntu while it's OK on other distros?

D2SI
Communicator

Hello,

I have an issue with a scripted input.

I have 2 Linux on Amazon Web Services (AWS) :

  • 1 based one AWS Linux AMI
  • 1 based on Ubuntu

On AWS Linux Amazon Machine Image (AMI) :

  • script is OK when launched manually
  • script is OK when launched by Splunk via scripted input

On Ubuntu :

  • script is OK when launched manually
  • script KO when launched by Splunk via scripted input

I would get errors like:

Error in sitecustomize; set PYTHONVERBOSE for traceback
AttributeError: module 'sys' has no attribute 'setdefaultencoding'
prepare_body() takes 3 positional arguments but 4 were given

I do not know why it even mention Python since it is a bash script.

I try each line of the script one by one but, via Splunk it fails at things such as :

\#!/usr/bin/env bash

set -o nounset

START_TIME="${SECONDS}"

---> Fails saying SECONDS is not declared and since using 'set -o nounset'.

But SECONDS is an internal variable, and since :

  • I do not meet that issue in other ways script is launched (on Linux AMI & manually on Ubuntu)
  • I get other weird errors for other small instructions anyhow

Hence, sorry for not posting more clear error examples, but since the script seems all OK in other contexts as mentioned, I feeI feel like I am missing something in the way the script is being launched by Splunk.

Is there anything specific I should take into account running a bash script from Splunk on Ubuntu ?

Is there a way to launch such a script using a Splunk command like it can be done for Python using "splunk cmd python script.py" ?

Thanks in advance for any hints!

1 Solution

woodcock
Esteemed Legend

Try adding this to the very top of your script:

unset LD_LIBRARY_PATH

If that doesn't do it, try adding this ALSO (keep the above line, too):

unset PYTHONPATH

View solution in original post

woodcock
Esteemed Legend

Try adding this to the very top of your script:

unset LD_LIBRARY_PATH

If that doesn't do it, try adding this ALSO (keep the above line, too):

unset PYTHONPATH

D2SI
Communicator

Thanks a lot ! With both, it works on Ubuntu and still works on AWS Linux AMI so it's perfect.

I tried to run echo $LD_LIBRARY_PATH & $PYTHONPATH, it returned an empty line on both distros.

0 Karma

woodcock
Esteemed Legend

This drove me crazy until I figured it out. I forget how long it took...

0 Karma

dauren_akilbeko
Communicator

Is there a way to launch such script
using Splunk command like it can be
done for Python using "splunk cmd
python script.py" ?
splunk cmd script.sh

0 Karma

D2SI
Communicator

Thanks,

'splunk cmd script.sh' seems to be working only with the scripted copied to $SPLUNK_HOME/bin, but it works!

And it generates the same errors I see when launched from the scripted input.

0 Karma

dauren_akilbeko
Communicator

Did you check permissions on th script file?
Also can you run some other arbitrary script (Echo something), to see if it also fails.

0 Karma

D2SI
Communicator

Yes I had double checked on permissions.

Yes "echo something" would work on Ubuntu, but errors would raise as soon as I introduce small instructions.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...