Installation

Error after upgrading to version 7.1.1.

MAMAOUI
Explorer

Hi All,

Every minute I receive the error:

msg="A script exited abnormally" input="./bin/instrumentation.py" stanza="default" status="exited with code 114"


I get this error after upgrading to Splunk 7.1.1.

Thanks
M&A

Labels (1)
Tags (2)
1 Solution

jamesjarrett
Path Finder

Check SOLNESS-15251, at SplunkES fixed issues.

The answer was posted by @donaldmurchison :

I recently had this issue on an instance with ES as well. We traced it back to the “[configuration_check://confcheck_script_errors]” stanza in inputs.conf of the ES app. It looks like this stanza was not in ES version 5.0.1.

We decided to just add instrumentation.py to the regex in the suppress setting of this stanza. The error is still included in the internal logs but doesn’t show up as a bulletin message anymore.
....

Yes, this is just a workaround. However, ‘msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py" stanza="default" status="exited with code 114"’, does not indicate an actual issue. If that's what you are receiving, suppressing the message should be fine for now. From the Enterprise Security fixed issues page (SOLNESS-15251), http://docs.splunk.com/Documentation/ES/5.1.0/RN/FixedIssues, “Exit code 114 is normal for instrumentation.py and should be whitelisted”. If you are receiving a different exit code, you might have a bigger problem.

View solution in original post

0 Karma

Tony_chan
New Member

We also had the same problem, but we can't find the instrumentation.py folder, and there has nothing in input.conf.
Where can we find more information about this issue.

0 Karma

jamesjarrett
Path Finder

Check SOLNESS-15251, at SplunkES fixed issues.

The answer was posted by @donaldmurchison :

I recently had this issue on an instance with ES as well. We traced it back to the “[configuration_check://confcheck_script_errors]” stanza in inputs.conf of the ES app. It looks like this stanza was not in ES version 5.0.1.

We decided to just add instrumentation.py to the regex in the suppress setting of this stanza. The error is still included in the internal logs but doesn’t show up as a bulletin message anymore.
....

Yes, this is just a workaround. However, ‘msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py" stanza="default" status="exited with code 114"’, does not indicate an actual issue. If that's what you are receiving, suppressing the message should be fine for now. From the Enterprise Security fixed issues page (SOLNESS-15251), http://docs.splunk.com/Documentation/ES/5.1.0/RN/FixedIssues, “Exit code 114 is normal for instrumentation.py and should be whitelisted”. If you are receiving a different exit code, you might have a bigger problem.

0 Karma

dpurtell
New Member

For clarification, I understand the exit code 114 is normal, but can these be suppressed from displaying in Messages? Is there an update planned to remove from showing in Messages? Thank you- Duane

0 Karma

ejenson_splunk
Splunk Employee
Splunk Employee

As an FYI. This issue appears to be back in ES 5.2.2 at a minimum. I have not checked versions between 5.1.0 where the issue was supposedly fixed and 5.2.2.

0 Karma

jamesjarrett
Path Finder

I too am having this issue with my SplunkES instance. Of course, it is highly underpowered but still suffering this issue after upgrading to 7.1.1

Other instances are not having this issue. All are Azure VMs

donaldmurchison
Engager

I recently had this issue on an instance with ES as well. We traced it back to the “[configuration_check://confcheck_script_errors]” stanza in inputs.conf of the ES app. It looks like this stanza was not in ES version 5.0.1.

We decided to just add instrumentation.py to the regex in the suppress setting of this stanza. The error is still included in the internal logs but doesn’t show up as a bulletin message anymore.

0 Karma

MAMAOUI
Explorer

Hello,
Thanks Donald, I added instrumentation script in the suppress stanza “[configuration_check://confcheck_script_errors]” in local and it worked , i don't see message error anymore.

0 Karma

jamesjarrett
Path Finder

While it may get rid of the problem showing up in the the messages, it still doesn't address whatever this issue is. I would have figured that someone would have a much better answer by now - especially since its related to Enterprise Security :-(.

0 Karma

donaldmurchison
Engager

Yes, this is just a workaround. However, ‘msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py" stanza="default" status="exited with code 114"’, does not indicate an actual issue. If that's what you are receiving, suppressing the message should be fine for now. From the Enterprise Security fixed issues page (SOLNESS-15251), http://docs.splunk.com/Documentation/ES/5.1.0/RN/FixedIssues, “Exit code 114 is normal for instrumentation.py and should be whitelisted”. If you are receiving a different exit code, you might have a bigger problem.

renjith_nair
Legend

Hi @MAMAOUI,

Check your inputs.conf where you have a script scheduled /bin/instrumentation.py and try to identify the issue with the script.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

stmyers84
Explorer

I'm also getting this error, and have disabled the scripted input in inputs.conf....still getting error.

0 Karma

MAMAOUI
Explorer

I have the same probleme,I verified the input.conf ... and still getting same message error, did you find any solution?Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...