Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is my script exiting with code 1 on enterprise security app when I run a script action?

OBsecurity
Explorer
‎01-31-2018 02:35 AM

Hello Folks.
I've created a script that should initiate 'HIPCHAT' messaging application api's.
While running the script (on the es machine) via cli it works fine. After 3 days of workarounds - ES 'run a script' action runs the script and fails with exit code 1 no matter what I've tried.

This is the command for the api. 

/usr/bin/curl -H 'Content-Type: application/json' -X 'POST' -d '{"message_format": "text", "message": "Threat - hipchat - Rule"}' 'https://api.hipchat.com/v2/room/4415200/notification?auth_token=mytoken'

this is the script: 

\#!/bin/bash 

ROOM_ID=4415200 
AUTH_TOKEN=mytoken


curl="'""Content-Type: application/json""'" 
echo curl=$curl >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

post="'""POST""'" 
echo post=$post >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 


MESSAGE="'""{\"message_format\": \"text\", \"message\": \"$4\"}""'" 
echo message=$MESSAGE >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

url="'""https://api.hipchat.com/v2/room/4415200/notification?auth_token=mytoken""'" 
echo url=$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 



echo curl -H $curl \ 
-X $post \ 
-d $MESSAGE \ 
$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 


echo curl_exit_code = $? >> "/opt/splunk/bin/scripts/splunk-hiptest.out"

Workarounds

  1. tried to run a script with a single command row.
  2. tried to build the command with\without args.

please help 🙂
Thanks!

0 Karma
Reply

jeanyvesnolen
Path Finder
‎02-01-2018 01:51 AM

You can change to

 \#!/bin/bash

To 

#!/bin/bash

And

 echo curl -H $curl \ 
 -X $post \ 
 -d $MESSAGE \ 
 $url >> "/opt/splunk/bin/scripts/splunk-hiptest.out"

Should be

curl -H $curl \
 -X $post \ 
 -d $MESSAGE \ 
-o "/opt/splunk/bin/scripts/splunk-hiptest.out" \
 $url
curl_exit_code=$?
echo $curl_exit_code >> /opt/splunk/bin/scripts/splunk-hiptest.out
exit $curl_exit_code
0 Karma
Reply

OBsecurity
Explorer
‎02-01-2018 02:08 PM

My bad for not pointing this...
1. in my origin script /bin/bash is as expected (without )
2. curl command is not 'echo'ed. i forgot to remove it while copy-paste here.

sorry.
anyway, you actually see -o output while splunk runs the script.

any other ideas what is the BIG diff between splunk and cli?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...