Hello,

I have a script to index enddate from certificats

#!/bin/sh

echo debug enddate
date=`date "+%d/%m/%Y %H:%M:%S"`

for file in `/usr/bin/ls /opt/splunk/etc/auth/mycerts/*.pem`
do
    echo debug befor $file
    /opt/splunk/bin/openssl x509 -in $file -enddate -noout
    echo debug after $file
done

This script is started from this stanza in inputs.conf:

[script://./bin/certificats]
interval = * * * * *
index=my_index
sourcetype = splunk:certificats
start_by_shell = false

The script is wriking well when I start it from shell with the splunk account (which is also runnig Splunk) and I enddate is printed for both .pem files thar are in mycerts directory.

But when it is started from Splunk, only the lines "debug endate" and "debug befor $file" are indexed (debug befor only for the first file).

I also try with the command "/opt/splunk/bin/splunk cmd openssl x509 -in $file -enddate -noout". This don't change anything.

Do you have an idee why the command openssl give no result and exit the script when started from Splunk?

Thanks