The splunkd.log on a Windows host shows the following errors:
05-22-2023 15:31:34.452 -0400 ERROR FrameworkUtils [15508 ExecProcessor] - Incorrect path to script: \.\bin\rectify_hostname.sh. Script must be located inside $SPLUNK_HOME\bin\scripts.
05-22-2023 15:31:34.452 -0400 ERROR ExecProcessor [15508 ExecProcessor] - Ignoring: "\.\bin\rectify_hostname.sh"
How am I able to fix this? I cannot find the "\.\bin\rectify_hostname.sh" path on the host.
Ugh.
The idea of supplying an app with two different script versions - one for Windows and one for Unix is in itself a good one. The bad thing about this particular app is that both versions are enabled by default. (I'm not very convinced to sending data to _internal this way, BTW; normal thing would be to create a file in $SPLUNK_HOME/var/log/splunk and let the forwarder's default monitor input pick it up).
How I'd disable that input?
If you deploy this app to many hosts (both unix and windows), I'd create one app for unix and one for windows with just a definition of a disabled input. So one app with local/inputs.conf containing:
[script://./bin/rectify_hostname.sh]
disabled = 1
And one with
[script://.\bin\rectify_hostname_wrapper.cmd]
disabled = 1
Then you simply deploy one of them to windows and one to unices.
But honestly, I find the whole app broken by design. It's trying to do a walkaround over the problem which should be solved, not walked around.
The error message is not saying the script exists in the wrong place. It's saying a .conf file contains the invalid path given.
Search your Splunk configs for the file path in the message and correct it.
I found the file path on my deployment server at /opt/splunk/etc/deployment-apps/rectify_hostname/default/inputs.conf
[script://./bin/rectify_hostname.sh]
disabled = False
index = _internal
interval = -1
[script://.\bin\rectify_hostname_wrapper.cmd]
disabled = False
index = _internal
interval = -1
/opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.sh has this:
#!/bin/bash
# chmod a+x <this file> before deployment
# script fetches the hostname from the environment
# converts it to lowercase and truncates any FQDN
# inserts it into etc/system/local server.conf and inputs.conf if necessary
# restarts splunk
# tested on RHEL7 and Solaris11
# set localization from international (cuz old Gnu on Solaris)
LC_ALL="C"
if [ "$SPLUNK_HOME" = "" ]; then
SPLUNK_HOME="/opt/splunkforwarder"
fi
...
/opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname_wrapper.cmd
REM store path of this bin folder
set "BINPATH=%~dp0"
REM set "SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder"
%SystemRoot%\system32\WindowsPowerShell\v1.0\Powershell -ExecutionPolicy ByPass -File "%BINPATH%rectify_hostname.ps1" -splunkHome "%SPLUNK_HOME%"
/opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.ps1
# for Powershell 2 compatibilityparam(
[string]$splunkHome = $env:SPLUNK_HOME
)
if ( -not ($splunkHome) ) {
$splunkHome = "$env:ProgramFiles\SplunkUniversalForwarder"
}
...
I'm not sure where to correct the file path. Would it be changing the line in inputs.conf from [script://./bin/rectify_hostname.sh] to [script://./bin/scripts/rectify_hostname.sh]?
Ugh.
The idea of supplying an app with two different script versions - one for Windows and one for Unix is in itself a good one. The bad thing about this particular app is that both versions are enabled by default. (I'm not very convinced to sending data to _internal this way, BTW; normal thing would be to create a file in $SPLUNK_HOME/var/log/splunk and let the forwarder's default monitor input pick it up).
How I'd disable that input?
If you deploy this app to many hosts (both unix and windows), I'd create one app for unix and one for windows with just a definition of a disabled input. So one app with local/inputs.conf containing:
[script://./bin/rectify_hostname.sh]
disabled = 1
And one with
[script://.\bin\rectify_hostname_wrapper.cmd]
disabled = 1
Then you simply deploy one of them to windows and one to unices.
But honestly, I find the whole app broken by design. It's trying to do a walkaround over the problem which should be solved, not walked around.
It seems that you have one common App which contains both linux and windows version for that script. Basically this means that if you have only one version it with configurations on DS and you deploy it to all your UFs (both linux and windows) and you have enabled both scripts then it obviously failed. On linux nodes windows version failed and on windows nodes linux version failed (as your logs already said).
There are couple of ways to fix it based on it's content (have it anything else than this one script). Shortly you should have separate inputs script enabled based on UF's OS. If you have only Windows UFs then just change "disabled = True" for rectify_hostname.sh script on inputs.conf.
But if you have both linux and windows where you are running this app, then probably easiest way is just copy this app rectify_hostname_nix and rectify_hostname_win and then enable linux script on 1st one and windows version on 2nd one.
Thanks for the detailed response. It's very helpful.
So, for my clarification, I create two new deployments apps: rectify_hostname_nix and rectify_hostname_win.
Everything stays the same in these apps except for the input.conf file?
For the nix app, I would keep "disabled = False" and for the windows app, I would do "disabled = True"? I think I'm not sure if I have the right solution for Windows