Hello,
I have a script to index enddate from certificats
#!/bin/sh
echo debug enddate
date=`date "+%d/%m/%Y %H:%M:%S"`
for file in `/usr/bin/ls /opt/splunk/etc/auth/mycerts/*.pem`
do
echo debug befor $file
/opt/splunk/bin/openssl x509 -in $file -enddate -noout
echo debug after $file
done
This script is started from this stanza in inputs.conf:
[script://./bin/certificats]
interval = * * * * *
index=my_index
sourcetype = splunk:certificats
start_by_shell = false
The script is wriking well when I start it from shell with the splunk account (which is also runnig Splunk) and I enddate is printed for both .pem files thar are in mycerts directory.
But when it is started from Splunk, only the lines "debug endate" and "debug befor $file" are indexed (debug befor only for the first file).
I also try with the command "/opt/splunk/bin/splunk cmd openssl x509 -in $file -enddate -noout". This don't change anything.
Do you have an idee why the command openssl give no result and exit the script when started from Splunk?
Thanks