Why did my saved search display error "exited with status code: 1"?

New Member

One of my saved searched exited without proper information and getting this error message in the splunkd.log.

03-20-2017 10:22:32.054 -0500 ERROR script - sid:rt_scheduler__nobody_TW9uc2FudG8tTW9uaXRvcmluZy1TZWxmU2VydmljZQ__RMD539622b545a012fbd_at_1489931706_5897.76 command="runshellscript", Script: /opt/splunk/etc/apps/appname/bin/scripts/ exited with status code: 1

Can anyone have any idea please help me out.

0 Karma

Revered Legend

Seems like your saved search ran fine but the alert action script failed. I would check python.log file for more details on the error.

0 Karma

Path Finder

Hello, skuma30

Could you solve this problem? If you solved, can you share your solution, because I have the same problem.


0 Karma

New Member


below is the script that I ran in the .py file.


import gzip
import csv
import sys
import os
import subprocess
import splunklib.client as client
import collections
import json
import ConfigParser
from ConfigParser import SafeConfigParser

parser = SafeConfigParser()'/opt/splunk/etc/filename.ini')

HOST = parser.get('environment','HOST')
PORT = parser.get('environment','PORT')
USERNAME = parser.get('environment','USERNAME')
PASSWORD = parser.get('environment','PASSWORD')

def post(event):
print "connecting\n"
service = client.connect(
index = service.indexes['xyz']
index.submit(event, sourcetype='ABC')

with open('/tmp/customappname.log', 'a') as f:
print>>f, sys.argv
print sys.argv

event = {}
f = gzip.GzipFile(sys.argv[8])
r = csv.DictReader(f)
for i in r:
for key in i:
if key == "key":
x = str(i[key])
x = x.replace(" ", "")
event[key] = x
elif key == "msg":
event[key] = i[key]
elif key == "severity":
event[key] = i[key]
elif key == 'status_defg':
st = 'status'
event[st] = i[key]
elif key == "_time":
event[key] = i[key]
elif key == "support_team":
event[key] = i[key]
elif key == "auto_close":
event[key] = i[key]

print 'event after processing\n', event

ju_event = json.dumps(event)

print ju_event


0 Karma

New Member

this is the custom script I ran but it is throwing the error please let me know what you can help me

0 Karma


Often that RC 1 is an error in the python script. I've seen at least 3 instances here. The following link is one of them, and gives some suggestions for debugging.

Also, the "rt_scheduler__nobody" jumps out at me. Make sure that your script execution is properly owned, and that the owner has all the authority it needs.

0 Karma

New Member


Thank you for the reply but here I'm searching for the command="runshellscript" but I cannot find in the .py file.

0 Karma
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...