Re: scripted inputs output varies based on host

lisaac · ‎09-09-2011

I have deployed an app to RHEL 5.6 hosts with the deployment server. The app is a shell script that issues a few lines.

#!/bin/bash
date
echo running ls -l /var/log
ls -l /var/log
echo end

On a few hosts, I see all of the output returned from the directory listing. On most hosts, I only see the a 10th of the needed output.

running ls -al /var/log
total 1792
-rw-r----- 1 root root    1085 Jul 12 19:54 acpid

The output of the script stops at the first entry of /var/log. On other hosts, I get the complete output of the command.

I have even tried to create a unique sourcetype named shell in props.conf:

[shell]
BREAK_ONLY_BEFORE=^end
MAX_EVENTS=500

lisaac · ‎09-27-2011

It is now working. The following worked:

1) I had to ensure that the script captured stderr to stdout (e.g. /bin/ls -l /var/log 2>&1). This was evident after looking at the _iternal index for the cause of the error (e.g. No such file or directory).

2) In props.conf, I set the following:

[shell]

BREAK_ONLY_BEFORE_DATE=false

BREAK_ONLY_BEFORE=^end

MAX_EVENTS=5000

SHOULD_LINEMERGE = True

3) I adjusted the script as follows:

#!/bin/bash

echo end

date

echo running ls -l /var/log

ls -l /var/log

scripted inputs output varies based on host

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

scripted inputs output varies based on host

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?