
Script not triggered with complex wildcard search


Hello All,
i have been struggling to find the reason why sometimes the scripts are not triggered when i put some wildcards for filtering search. My search contains many sub searches to be able to get all the information with append statements.

Working scenario:
index=dummy "x\.y\.z" OR "x\.y" OR "v.x.y.z.*IO*"

index=dummy "x\.y\.z" OR "x\.y" OR "v.x.y.z*.*.IO*"

it doesn't trigger the script in the second. Any setting which could help me in this? I have inspected the job not able to get any error or hint. No errors in python.log or splunkd.log. Am using splunk v5.0.1


0 Karma


Hi linu1988,

if this is scripted inputs Splunk does not care about the content of the script, it will fire it at any given time....and maybe this is your problem time. If you run your script too frequent Splunk can get some ugly results back if the scripts have the same name. Reduce the interval the script runs. Use any kind of script logging option you have, like output the start time, result and end time into a file outside of Splunk and check this file.

I also had this problem once, so I'm pretty sure this is not a Splunk problem 😉

happy debugging ...

cheers, MuS


This is occurring in splunk 6 as well, It doesn't work with long complex splunk queries. Here as well i have to do it using Macro.

0 Karma


I mentioned earlier:
' what are you doing exactly' ....

Lets take this offline and I'll push your contact me button so you can mail me 😉

0 Karma


i mentioned earlier, the script is not getting triggered at all. when it gets triggered it actually works. This is depending on the above search i mentioned. With complex searches it doesn't trigger the script at all.

0 Karma


then replace your script with any working like the and see if this is fired. if yes, problem is with your script.

0 Karma


I mentioned earlier, i get all the events for all the searches and get the detailed mail as well. I have been struggling to understand why it is not triggering that .bat file. Any idea on the logic how the script is triggered? may be some bug with wildcard searches or longer search queries. Where else should i check for the reason?

0 Karma


Could be that this second search with the more filter criteria causes this problem, because it simply does not find any event?

0 Karma


no it is script which is triggered with a savedsearch. That is not working what ever i do. Manually the bat file runs and it works with some specific search with wildcards. As i mentioned once i include more filtered criteria that doesn't trigger the script. As usual the email alert i get.

0 Karma


so what are you doing exactly? this is a scripted input right? what does the script look like you run? what happens if you run this script manully using $SPLUNK_HOME/bin/splunk cmd python <pathtoyourscript>/yourScript ? what happens if you run this script once a hour or every 10 minutes instead of each second?

0 Karma


Hey Mus,after this long i have set up each and every tracing mechanism to validate where the issue lies. But it doesn't trigger the script at all. It sends me the result mail but it simply doesn't trigger until i give some specific filters. if time is the problem i want the ugly result but there is no trigger from the script. Hope you can give some other idea.

e.g bat file contains mkdir folder. it's not even creating that.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...