Reporting

Why did my saved search display error "exited with status code: 1"?

skuma30
New Member

One of my saved searched exited without proper information and getting this error message in the splunkd.log.

03-20-2017 10:22:32.054 -0500 ERROR script - sid:rt_scheduler__nobody_TW9uc2FudG8tTW9uaXRvcmluZy1TZWxmU2VydmljZQ__RMD539622b545a012fbd_at_1489931706_5897.76 command="runshellscript", Script: /opt/splunk/etc/apps/appname/bin/scripts/customappname.py exited with status code: 1

Can anyone have any idea please help me out.

0 Karma

somesoni2
Revered Legend

Seems like your saved search ran fine but the alert action script customappname.py failed. I would check python.log file for more details on the error.

0 Karma

a_salikov
Path Finder

Hello, skuma30

Could you solve this problem? If you solved, can you share your solution, because I have the same problem.

Thanks!

0 Karma

skuma30
New Member

Somesoni2,

below is the script that I ran in the .py file.

!/usr/bin/python

import gzip
import csv
import sys
import os
import subprocess
import splunklib.client as client
import collections
import json
import ConfigParser
from ConfigParser import SafeConfigParser

parser = SafeConfigParser()
parser.read('/opt/splunk/etc/filename.ini')

HOST = parser.get('environment','HOST')
PORT = parser.get('environment','PORT')
USERNAME = parser.get('environment','USERNAME')
PASSWORD = parser.get('environment','PASSWORD')

def post(event):
print "connecting\n"
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
index = service.indexes['xyz']
index.submit(event, sourcetype='ABC')

with open('/tmp/customappname.log', 'a') as f:
print>>f, sys.argv
print sys.argv

event = {}
f = gzip.GzipFile(sys.argv[8])
r = csv.DictReader(f)
for i in r:
for key in i:
if key == "key":
x = str(i[key])
x = x.replace(" ", "")
event[key] = x
elif key == "msg":
event[key] = i[key]
elif key == "severity":
event[key] = i[key]
elif key == 'status_defg':
st = 'status'
event[st] = i[key]
elif key == "_time":
event[key] = i[key]
elif key == "support_team":
event[key] = i[key]
elif key == "auto_close":
event[key] = i[key]

print 'event after processing\n', event

ju_event = json.dumps(event)

print ju_event

raw_input("Hello")

post(ju_event)
0 Karma

skuma30
New Member

this is the custom script I ran but it is throwing the error please let me know what you can help me

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Often that RC 1 is an error in the python script. I've seen at least 3 instances here. The following link is one of them, and gives some suggestions for debugging.

https://answers.splunk.com/answers/189517/why-am-i-getting-error-code-1-for-my-python-script.html

Also, the "rt_scheduler__nobody" jumps out at me. Make sure that your script execution is properly owned, and that the owner has all the authority it needs.

0 Karma

skuma30
New Member

DalJeanis,

Thank you for the reply but here I'm searching for the command="runshellscript" but I cannot find in the .py file.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...