Getting Data In

problems running file_meta_data app in aix 7.x

plimpach
Explorer

Hi, I am trying to run file_meta_Data app in aix, and keep getting an exit code of 1 from introspection
It runs successfully for me in Linux, so I believe I have the basic config setup working properly.
Versions:
splunk universal forwarder version 7.2.6
AIX version 7.1
python version 2.6.2
file_meta_data app version 1.4.2

inputs.conf config sample

[file_meta_data://blah837P]
file_path = /npc/clients/blah837P/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

[file_meta_data://ntst277CA]
file_path = /npc/clients/blah/277CA/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

error message from splunkd.log:
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "ntst_app_file_meta_data": Introspecting scheme=file_meta_data: script running failed (exited with code 1).

doing a search for index=_internal ExecProcessor "file_meta_data" sourcetype=splunkd yields no results for this host

doing a search for index=_internal sourcetype=file_meta_data_modular_input also yields no results for this host

it is acting like it is unable to run the python script.
Any thoughts on how to fix or troubleshoot?

0 Karma

plimpach
Explorer

I did some further research by logging it under debug, I get the error message

08-07-2019 16:07:33.795 -0400 DEBUG ModularInputs - Found script "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py" to handle scheme "file_meta_data".
08-07-2019 16:07:33.908 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  Traceback (most recent call last):
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:    File "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py", line 23, in <module>
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:      from modular_input import ModularInput, DurationField, BooleanField, IntegerField, WildcardField, Field, FieldValidationException
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  zipimport.ZipImportError: can't decompress data; zlib not available
08-07-2019 16:07:33.909 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).

the server has zlib, and we upgraded it - no difference in symptoms

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...