Monitoring Splunk

How do I fix this error: Incorrect path to script - Script must be located inside $SPLUNK_HOME\bin\scripts?

st1
Path Finder

The splunkd.log on a Windows host shows the following errors:

05-22-2023 15:31:34.452 -0400 ERROR FrameworkUtils [15508 ExecProcessor] - Incorrect path to script: \.\bin\rectify_hostname.sh. Script must be located inside $SPLUNK_HOME\bin\scripts.

05-22-2023 15:31:34.452 -0400 ERROR ExecProcessor [15508 ExecProcessor] - Ignoring: "\.\bin\rectify_hostname.sh"

 How am I able to fix this? I cannot find the "\.\bin\rectify_hostname.sh" path on the host.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Ugh.

The idea of supplying an app with two different script versions - one for Windows and one for Unix is in itself a good one. The bad thing about this particular app is that both versions are enabled by default. (I'm not very convinced to sending data to _internal this way, BTW; normal thing would be to create a file in $SPLUNK_HOME/var/log/splunk and let the forwarder's default monitor input pick it up).

How I'd disable that input?

If you deploy this app to many hosts (both unix and windows), I'd create one app for unix and one for windows with just a definition of a disabled input. So one app with local/inputs.conf containing:

[script://./bin/rectify_hostname.sh]
disabled = 1

And one with

[script://.\bin\rectify_hostname_wrapper.cmd]
disabled = 1

 Then you simply deploy one of them to windows and one to unices.

But honestly, I find the whole app broken by design. It's trying to do a walkaround over the problem which should be solved, not walked around.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The error message is not saying the script exists in the wrong place.  It's saying a .conf file contains the invalid path given.

Search your Splunk configs for the file path in the message and correct it.

---
If this reply helps you, Karma would be appreciated.

st1
Path Finder

I found the file path on my deployment server at /opt/splunk/etc/deployment-apps/rectify_hostname/default/inputs.conf

[script://./bin/rectify_hostname.sh]
disabled = False
index = _internal
interval = -1

[script://.\bin\rectify_hostname_wrapper.cmd]
disabled = False
index = _internal
interval = -1

 

/opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.sh  has this:

#!/bin/bash

# chmod a+x <this file> before deployment

# script fetches the hostname from the environment
# converts it to lowercase and truncates any FQDN
# inserts it into etc/system/local server.conf and inputs.conf if necessary
# restarts splunk
# tested on RHEL7 and Solaris11

# set localization from international (cuz old Gnu on Solaris)
LC_ALL="C"

if [ "$SPLUNK_HOME" = "" ]; then
SPLUNK_HOME="/opt/splunkforwarder"
fi

...

 

/opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname_wrapper.cmd 

REM store path of this bin folder
set "BINPATH=%~dp0"
REM set "SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder"

%SystemRoot%\system32\WindowsPowerShell\v1.0\Powershell -ExecutionPolicy ByPass -File "%BINPATH%rectify_hostname.ps1" -splunkHome "%SPLUNK_HOME%"

 

/opt/splunk/etc/deployment-apps/rectify_hostname/bin/rectify_hostname.ps1

# for Powershell 2 compatibilityparam(
[string]$splunkHome = $env:SPLUNK_HOME
)

if ( -not ($splunkHome) ) {
$splunkHome = "$env:ProgramFiles\SplunkUniversalForwarder"
}

...

 

I'm not sure where to correct the file path. Would it be changing the line in inputs.conf from [script://./bin/rectify_hostname.sh] to [script://./bin/scripts/rectify_hostname.sh]?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ugh.

The idea of supplying an app with two different script versions - one for Windows and one for Unix is in itself a good one. The bad thing about this particular app is that both versions are enabled by default. (I'm not very convinced to sending data to _internal this way, BTW; normal thing would be to create a file in $SPLUNK_HOME/var/log/splunk and let the forwarder's default monitor input pick it up).

How I'd disable that input?

If you deploy this app to many hosts (both unix and windows), I'd create one app for unix and one for windows with just a definition of a disabled input. So one app with local/inputs.conf containing:

[script://./bin/rectify_hostname.sh]
disabled = 1

And one with

[script://.\bin\rectify_hostname_wrapper.cmd]
disabled = 1

 Then you simply deploy one of them to windows and one to unices.

But honestly, I find the whole app broken by design. It's trying to do a walkaround over the problem which should be solved, not walked around.

isoutamo
SplunkTrust
SplunkTrust

It seems that you have one common App which contains both linux and windows version for that script. Basically this means that if you have only one version it with configurations on DS and you deploy it to all your UFs (both linux and windows) and you have enabled both scripts then it obviously failed. On linux nodes windows version failed and on windows nodes linux version failed (as your logs already said).

There are couple of ways to fix it based on it's content (have it anything else than this one script). Shortly you should have separate inputs script enabled based on UF's OS.  If you have only Windows UFs then just change "disabled = True" for rectify_hostname.sh script on inputs.conf.

But if you have both linux and windows where you are running this app, then probably easiest way is just copy this app rectify_hostname_nix and rectify_hostname_win and then enable linux script on 1st one and windows version on 2nd one.

st1
Path Finder

Thanks for the detailed response. It's very helpful.

So, for my clarification, I create two new deployments apps: rectify_hostname_nix and rectify_hostname_win.

Everything stays the same in these apps except for the input.conf file?

For the nix app, I would keep "disabled = False" and for the windows app, I would do "disabled = True"? I think I'm not sure if I have the right solution for Windows

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Also one notice about this script. You said that you are running it on windows, but script name ends .sh which usually means that it is shell (like bash) script which are not compatible with windows unless you have installed linux compatible feature or other packages which add e.g. bash into your server.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...