Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problems running file_meta_data app in aix 7.x

plimpach
Explorer
‎08-07-2019 09:14 AM

Hi, I am trying to run file_meta_Data app in aix, and keep getting an exit code of 1 from introspection
It runs successfully for me in Linux, so I believe I have the basic config setup working properly.
Versions:
splunk universal forwarder version 7.2.6
AIX version 7.1
python version 2.6.2
file_meta_data app version 1.4.2

inputs.conf config sample 

[file_meta_data://blah837P]
file_path = /npc/clients/blah837P/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

[file_meta_data://ntst277CA]
file_path = /npc/clients/blah/277CA/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

error message from splunkd.log:
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "ntst_app_file_meta_data": Introspecting scheme=file_meta_data: script running failed (exited with code 1).

doing a search for index=_internal ExecProcessor "file_meta_data" sourcetype=splunkd yields no results for this host

doing a search for index=_internal sourcetype=file_meta_data_modular_input also yields no results for this host

it is acting like it is unable to run the python script.
Any thoughts on how to fix or troubleshoot?

0 Karma
Reply

plimpach
Explorer
‎08-09-2019 11:13 AM

I did some further research by logging it under debug, I get the error message

08-07-2019 16:07:33.795 -0400 DEBUG ModularInputs - Found script "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py" to handle scheme "file_meta_data".
08-07-2019 16:07:33.908 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  Traceback (most recent call last):
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:    File "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py", line 23, in <module>
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:      from modular_input import ModularInput, DurationField, BooleanField, IntegerField, WildcardField, Field, FieldValidationException
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  zipimport.ZipImportError: can't decompress data; zlib not available
08-07-2019 16:07:33.909 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).

the server has zlib, and we upgraded it - no difference in symptoms

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top