Re: scripted inputs output varies based on host

lisaac · ‎09-09-2011

I have deployed an app to RHEL 5.6 hosts with the deployment server. The app is a shell script that issues a few lines.

#!/bin/bash
date
echo running ls -l /var/log
ls -l /var/log
echo end

On a few hosts, I see all of the output returned from the directory listing. On most hosts, I only see the a 10th of the needed output.

running ls -al /var/log
total 1792
-rw-r----- 1 root root    1085 Jul 12 19:54 acpid

The output of the script stops at the first entry of /var/log. On other hosts, I get the complete output of the command.

I have even tried to create a unique sourcetype named shell in props.conf:

[shell]
BREAK_ONLY_BEFORE=^end
MAX_EVENTS=500

lisaac · ‎09-27-2011

It is now working. The following worked:

1) I had to ensure that the script captured stderr to stdout (e.g. /bin/ls -l /var/log 2>&1). This was evident after looking at the _iternal index for the cause of the error (e.g. No such file or directory).

2) In props.conf, I set the following:

[shell]

BREAK_ONLY_BEFORE_DATE=false

BREAK_ONLY_BEFORE=^end

MAX_EVENTS=5000

SHOULD_LINEMERGE = True

3) I adjusted the script as follows:

#!/bin/bash

echo end

date

echo running ls -l /var/log

ls -l /var/log

scripted inputs output varies based on host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation