Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

missing data from script input.

efaundez
Path Finder
‎10-05-2020 11:52 AM

Good afternoon

Currently we have a UF that is configured with 50 inputs, of which 49 work well and only 1 does not index events and also reports any errors.

Review the information on the internal validating that the splunkd does not inform any evidence that it can help to validate why this input is not working.

But what you see is what you do next query
index = _introspection component = PerProcess "event that does not index ..." I have current information, the script runs every 1 minute and gives me the next information.

component: PerProcess
date: {[-]
args: python /path/file.py XXXXXXXX
elapsed: 111505.2300
fd_used: 5
mem_used: 8,555
normalized_pct_cpu: 0.00
page_faults: 0
pct_cpu: 0.00
pct_memory: 0.01
pid: 22673
ppid: 7990
process: python2.7
process_type: other
read_mb: 0.000
status: W
t_count: 1
written_mb: 0.000
}
datetime: 10-05-2020 15: 36: 26.387 -0300
log_level: INFO

Review the too many events that you index and don't use these metrics .... why when the event I stop indexing this information splunk differently,... and I don't understand why they too many fuels that are working correctly in the tienen this information.

Any help is appreciated.

 

Labels (4)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-06-2020 02:01 PM

Does the script run if you run it manually, with, for instance,

splunk cmd python /path/to/file.py

(Obviously fix that syntax, I'm sure it's wrong!)

Beyond that, I'm not sure what other information you've give us.  I think autocorrect may have "fixed" many of your words for you, because I can't quite make sense out of the remainder of the question.  Happy to listen again if you want to try reposting that?

0 Karma
Reply

efaundez
Path Finder
‎10-09-2020 05:19 AM

Sorry for the delay, validate that the python as a process in the OS was taken and it was like that for more than 2 days, the _internal was checked and there was no information of any error or that splunk will show that there is a script input it cannot be executed for XXX reason .

To solve this, the input via web was deactivated (in an HF server) and then it was enabled, and after that it was validated that the indexing is done correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...