- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- script input not working when parameter is passed ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am using a script to fetch http response as splunk raw event. For this I am passing parameter as a variable, whose value is in another conf file.
The inputs.conf is as below:
[script:///opt/splunkforwarder/etc/apps/search/bin/scripts/urlhealthcheck.sh HEALTHCHECK_URL ]
sourcetype = healthcheck
disabled = false
interval = 300
index = main
The configuration file where the parameter HEALTHCHECK_URL is stored;example.conf
HEALTHCHECK_URL=https://healthcheckurl.domain.com
The shell script urlhealthcheck.sh;
#!/bin/sh
url=$(cat PRA.conf | grep $1 | awk -F "=" '{print $2}')
responsecode=$(wget -S --spider --no-check-certificate $url 2>&1 | grep "HTTP/" | awk '{print $2}')
response=$(wget -q --no-check-certificate -O - $url 2>&1 )
echo "URL=$url, ResponseCode=$responsecode, Response=$response"
This shell script is running perfectly when run from the terminal as
sh /opt/splunkforwarder/etc/apps/search/bin/scripts/urlhealthcheck.sh HEALTHCHECK_URL
Or run as
./opt/splunkforwarder/etc/apps/search/bin/scripts/urlhealthcheck.sh HEALTHCHECK_URL
giving output as ;
[
{
"code": 200,
"response": "Health Check: Succeeded"
}
]
But in inputs.conf this giving the response as ;
wget: missing URL
Usage: wget [OPTION]... [URL]...
Try `wget --help' for more options.
If I change the parameter from HEALTHCHECK_URL to https://healthcheckurl.domain.com as the http response is coming out correct without an error.
[script:///opt/splunkforwarder/etc/apps/search/bin/scripts/urlhealthcheck.sh https://healthcheckurl.domain.com ]
sourcetype = healthcheck
disabled = false
interval = 300
index = main
What is the reason that I am not able to pass the parameter as a variable through the inputs.conf, though the script is working fine?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where is "PRA.conf" located.
Scripts do not execute with ./app/bin as the working directory.
Its probable therefore that PRA.conf is not being found, and thus not expanded.
Can you try specifying the path fully in the script?
url=$(cat /opt/splunkforwarder/etc/apps/search/bin/scripts/PRA.conf | grep $1 | awk -F "=" '{print $2}')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where is "PRA.conf" located.
Scripts do not execute with ./app/bin as the working directory.
Its probable therefore that PRA.conf is not being found, and thus not expanded.
Can you try specifying the path fully in the script?
url=$(cat /opt/splunkforwarder/etc/apps/search/bin/scripts/PRA.conf | grep $1 | awk -F "=" '{print $2}')
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou. It is working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great news!, Please accept my answer so others can see what the solution was in the furture!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
