- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: scripted input cron schedule
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I defined a scripted input:
[script://$SPLUNK_HOME/etc/apps/ccbn/bin/get_domain_by_date]
disabled = true
host = dbserver
index = main
interval = 0 1 * * * #frequency to run the script
source = newman_db
sourcetype = feedback_by_domain
When I run the script I get output like this:
20110830: date=20110830,domain=aim.com,type=2,count=12
20110830: date=20110830,domain=aol.com,type=2,count=88
20110830: date=20110830,domain=aol.com,type=3,count=68
20110830: date=20110830,domain=att.net,type=2,count=35
20110830: date=20110830,domain=bellsouth.net,type=2,count=15
20110830: date=20110830,domain=bls.gov,type=2,count=11
20110830: date=20110830,domain=comcast.net,type=2,count=74
20110830: date=20110830,domain=comcast.net,type=3,count=27
20110830: date=20110830,domain=gmail.com,type=2,count=31
20110830: date=20110830,domain=hotmail.com,type=2,count=439
20110830: date=20110830,domain=hotmail.com,type=3,count=164
20110830: date=20110830,domain=irs.gov,type=1,count=14
20110830: date=20110830,domain=live.com,type=2,count=77
20110830: date=20110830,domain=live.com,type=3,count=12
20110830: date=20110830,domain=msn.com,type=2,count=13
20110830: date=20110830,domain=msn.com,type=3,count=17
20110830: date=20110830,domain=optonline.net,type=2,count=11
20110830: date=20110830,domain=sbcglobal.net,type=2,count=32
20110830: date=20110830,domain=sbcglobal.net,type=3,count=15
20110830: date=20110830,domain=verizon.net,type=2,count=47
20110830: date=20110830,domain=yahoo.ca,type=3,count=54
20110830: date=20110830,domain=yahoo.com,type=2,count=642
20110830: date=20110830,domain=yahoo.com,type=3,count=310
20110830: date=20110830,domain=ymail.com,type=2,count=33
20110830: date=20110830,domain=ymail.com,type=3,count=14
However splunkd seems to be running the script every one second. This causes many duplicate events. I want the script to run once a day as it outputs counts of feedback events for the previous day.
How can I make the script run once a day after midnight?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what you have defined in inputs.conf? The cron statement looks fine. Perhaps remove the comment in-case it isn't agreeing with it (or move it to a newline) and hardcode disabled as 0 to enable the script.
Also, does the script itself end?
If your script does not terminate itself then using cron will only check if it is still running or not which makes defining an interval irrelevant. I have previously had instances where I made a script that never terminated which resulted in many duplicates which I assumed was the interval playing up, but was in fact my script.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what you have defined in inputs.conf? The cron statement looks fine. Perhaps remove the comment in-case it isn't agreeing with it (or move it to a newline) and hardcode disabled as 0 to enable the script.
Also, does the script itself end?
If your script does not terminate itself then using cron will only check if it is still running or not which makes defining an interval irrelevant. I have previously had instances where I made a script that never terminated which resulted in many duplicates which I assumed was the interval playing up, but was in fact my script.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting rid of the comment after the cronspec, deleting whitespace before/after the '=' seemed to do the trick. odd.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting - running UF v7.1.2 on linux and this issue has come back - was previously fixed -- re-updating inputs.conf scripts to not have any whitespace for the interval (e.g. interval=300 <- always works, interval = 300 <- does not always work)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appear to have had the same issue earlier today (almost 7 years later).
It is pretty incredible that this appears to still be an issue for Splunk so far later. I have filed a support ticket to fix it. (Granted it is possible that my issue is a different one)
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
