Solved: retrying a scripted input after a failure

Justin_Grant · ‎02-22-2010

[I heard this question on an internal mailing list, but it seemed generally relevant so asking it here too]

I have a scripted input that talks to an SDEE interface on the Cisco IPS. This interface can be flakey at times and I am running into an issue where if a connection fails Splunk will no longer retry the script. I assumed with the scheduler set -1 it would just try to reconnect after the script exits. I am catching the exception and exiting gracefully but that doesn't seem to work or I am just doing it wrong. Can anyone give me a pointer as to what I need my script to do in order to get Splunk to retry it if the first connection fails.?

gkanapathy · ‎02-22-2010

If you set the interval to -1, it runs the script just once, when Splunk starts up. If you set it to 1, it runs the script again 1 second after the previous invocation exits. It's generally true for all scripted inputs that the next instance runs interval seconds after the exit of the previous invocation.

View solution in original post

gkanapathy · ‎02-22-2010

If you set the interval to -1, it runs the script just once, when Splunk starts up. If you set it to 1, it runs the script again 1 second after the previous invocation exits. It's generally true for all scripted inputs that the next instance runs interval seconds after the exit of the previous invocation.

Will_Hayes · ‎02-22-2010

The interval need to be set to 1 not -1 for auto-retry on exit.

retrying a scripted input after a failure

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration