I have a script to index enddate from certificats
echo debug enddate
date=`date "+%d/%m/%Y %H:%M:%S"`
for file in `/usr/bin/ls /opt/splunk/etc/auth/mycerts/*.pem`
echo debug befor $file
/opt/splunk/bin/openssl x509 -in $file -enddate -noout
echo debug after $file
This script is started from this stanza in inputs.conf:
interval = * * * * *
sourcetype = splunk:certificats
start_by_shell = false
The script is wriking well when I start it from shell with the splunk account (which is also runnig Splunk) and I enddate is printed for both .pem files thar are in mycerts directory.
But when it is started from Splunk, only the lines "debug endate" and "debug befor $file" are indexed (debug befor only for the first file).
I also try with the command "/opt/splunk/bin/splunk cmd openssl x509 -in $file -enddate -noout". This don't change anything.
Do you have an idee why the command openssl give no result and exit the script when started from Splunk?