Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problems running file_meta_data app in aix 7.x

plimpach
Explorer
‎08-07-2019 09:14 AM

Hi, I am trying to run file_meta_Data app in aix, and keep getting an exit code of 1 from introspection
It runs successfully for me in Linux, so I believe I have the basic config setup working properly.
Versions:
splunk universal forwarder version 7.2.6
AIX version 7.1
python version 2.6.2
file_meta_data app version 1.4.2

inputs.conf config sample 

[file_meta_data://blah837P]
file_path = /npc/clients/blah837P/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

[file_meta_data://ntst277CA]
file_path = /npc/clients/blah/277CA/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

error message from splunkd.log:
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "ntst_app_file_meta_data": Introspecting scheme=file_meta_data: script running failed (exited with code 1).

doing a search for index=_internal ExecProcessor "file_meta_data" sourcetype=splunkd yields no results for this host

doing a search for index=_internal sourcetype=file_meta_data_modular_input also yields no results for this host

it is acting like it is unable to run the python script.
Any thoughts on how to fix or troubleshoot?

0 Karma
Reply

plimpach
Explorer
‎08-09-2019 11:13 AM

I did some further research by logging it under debug, I get the error message

08-07-2019 16:07:33.795 -0400 DEBUG ModularInputs - Found script "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py" to handle scheme "file_meta_data".
08-07-2019 16:07:33.908 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  Traceback (most recent call last):
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:    File "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py", line 23, in <module>
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:      from modular_input import ModularInput, DurationField, BooleanField, IntegerField, WildcardField, Field, FieldValidationException
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  zipimport.ZipImportError: can't decompress data; zlib not available
08-07-2019 16:07:33.909 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).

the server has zlib, and we upgraded it - no difference in symptoms

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top