Getting Data In

Why is my script exiting with code 1 on enterprise security app when I run a script action?

Explorer

Hello Folks.
I've created a script that should initiate 'HIPCHAT' messaging application api's.
While running the script (on the es machine) via cli it works fine. After 3 days of workarounds - ES 'run a script' action runs the script and fails with exit code 1 no matter what I've tried.

This is the command for the api.

/usr/bin/curl -H 'Content-Type: application/json' -X 'POST' -d '{"message_format": "text", "message": "Threat - hipchat - Rule"}' 'https://api.hipchat.com/v2/room/4415200/notification?auth_token=mytoken' 

this is the script:

\#!/bin/bash 

ROOM_ID=4415200 
AUTH_TOKEN=mytoken


curl="'""Content-Type: application/json""'" 
echo curl=$curl >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

post="'""POST""'" 
echo post=$post >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 


MESSAGE="'""{\"message_format\": \"text\", \"message\": \"$4\"}""'" 
echo message=$MESSAGE >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

url="'""https://api.hipchat.com/v2/room/4415200/notification?auth_token=mytoken""'" 
echo url=$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 



echo curl -H $curl \ 
-X $post \ 
-d $MESSAGE \ 
$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 


echo curl_exit_code = $? >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

Workarounds

  1. tried to run a script with a single command row.
  2. tried to build the command with\without args.

please help 🙂
Thanks!

0 Karma

Path Finder

You can change to

 \#!/bin/bash 

To

#!/bin/bash 

And

 echo curl -H $curl \ 
 -X $post \ 
 -d $MESSAGE \ 
 $url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

Should be

curl -H $curl \
 -X $post \ 
 -d $MESSAGE \ 
-o "/opt/splunk/bin/scripts/splunk-hiptest.out" \
 $url
curl_exit_code=$?
echo $curl_exit_code >> /opt/splunk/bin/scripts/splunk-hiptest.out
exit $curl_exit_code
0 Karma

Explorer

My bad for not pointing this...
1. in my origin script /bin/bash is as expected (without )
2. curl command is not 'echo'ed. i forgot to remove it while copy-paste here.

sorry.
anyway, you actually see -o output while splunk runs the script.

any other ideas what is the BIG diff between splunk and cli?

0 Karma