Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

missing data from script input.

efaundez
Path Finder
‎10-05-2020 11:52 AM

Good afternoon

Currently we have a UF that is configured with 50 inputs, of which 49 work well and only 1 does not index events and also reports any errors.

Review the information on the internal validating that the splunkd does not inform any evidence that it can help to validate why this input is not working.

But what you see is what you do next query
index = _introspection component = PerProcess "event that does not index ..." I have current information, the script runs every 1 minute and gives me the next information.

component: PerProcess
date: {[-]
args: python /path/file.py XXXXXXXX
elapsed: 111505.2300
fd_used: 5
mem_used: 8,555
normalized_pct_cpu: 0.00
page_faults: 0
pct_cpu: 0.00
pct_memory: 0.01
pid: 22673
ppid: 7990
process: python2.7
process_type: other
read_mb: 0.000
status: W
t_count: 1
written_mb: 0.000
}
datetime: 10-05-2020 15: 36: 26.387 -0300
log_level: INFO

Review the too many events that you index and don't use these metrics .... why when the event I stop indexing this information splunk differently,... and I don't understand why they too many fuels that are working correctly in the tienen this information.

Any help is appreciated.

 

Labels (3)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-06-2020 02:01 PM

Does the script run if you run it manually, with, for instance,

splunk cmd python /path/to/file.py

(Obviously fix that syntax, I'm sure it's wrong!)

Beyond that, I'm not sure what other information you've give us.  I think autocorrect may have "fixed" many of your words for you, because I can't quite make sense out of the remainder of the question.  Happy to listen again if you want to try reposting that?

0 Karma
Reply

efaundez
Path Finder
‎10-09-2020 05:19 AM

Sorry for the delay, validate that the python as a process in the OS was taken and it was like that for more than 2 days, the _internal was checked and there was no information of any error or that splunk will show that there is a script input it cannot be executed for XXX reason .

To solve this, the input via web was deactivated (in an HF server) and then it was enabled, and after that it was validated that the indexing is done correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...