Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

problems running file_meta_data app in aix 7.x

plimpach
Explorer
‎08-07-2019 09:14 AM

Hi, I am trying to run file_meta_Data app in aix, and keep getting an exit code of 1 from introspection
It runs successfully for me in Linux, so I believe I have the basic config setup working properly.
Versions:
splunk universal forwarder version 7.2.6
AIX version 7.1
python version 2.6.2
file_meta_data app version 1.4.2

inputs.conf config sample 

[file_meta_data://blah837P]
file_path = /npc/clients/blah837P/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

[file_meta_data://ntst277CA]
file_path = /npc/clients/blah/277CA/
host=<fqdn>
interval = 2m
recurse = 1
only_if_changed = 1
include_file_hash = 0
depth_limit = 10000
# file_filter = 999*
index = app_custom
sourcetype = db:meta:files

error message from splunkd.log:
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).
08-07-2019 11:08:32.784 -0400 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined inside the app "ntst_app_file_meta_data": Introspecting scheme=file_meta_data: script running failed (exited with code 1).

doing a search for index=_internal ExecProcessor "file_meta_data" sourcetype=splunkd yields no results for this host

doing a search for index=_internal sourcetype=file_meta_data_modular_input also yields no results for this host

it is acting like it is unable to run the python script.
Any thoughts on how to fix or troubleshoot?

0 Karma
Reply

plimpach
Explorer
‎08-09-2019 11:13 AM

I did some further research by logging it under debug, I get the error message

08-07-2019 16:07:33.795 -0400 DEBUG ModularInputs - Found script "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py" to handle scheme "file_meta_data".
08-07-2019 16:07:33.908 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  Traceback (most recent call last):
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:    File "/opt/splunkforwarder/etc/apps/ntst_app_file_meta_data/bin/file_meta_data.py", line 23, in <module>
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:      from modular_input import ModularInput, DurationField, BooleanField, IntegerField, WildcardField, Field, FieldValidationException
08-07-2019 16:07:33.909 -0400 DEBUG ModularInputs - <stderr> Introspecting scheme=file_meta_data:  zipimport.ZipImportError: can't decompress data; zlib not available
08-07-2019 16:07:33.909 -0400 ERROR ModularInputs - Introspecting scheme=file_meta_data: script running failed (exited with code 1).

the server has zlib, and we upgraded it - no difference in symptoms

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...