Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does Splunk scripted input not print data when script is turned off?

sumeet
Engager
‎09-29-2022 10:49 PM

Hello,

I am using python script to read from remote api with pagination. I have one problem while reading data from api, once i started script and it pulls data after that if i disable the script the data does not get printed in splunk though it has passed through print statement.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:43 AM
Maybe I don' understand this right, but when you have disabled input then splunk don't run that script until you are reenabling that input.
Reply

sumeet
Engager
‎09-30-2022 04:06 AM

Hi @isoutamo 


In the below method we are looping through data and sending each event to splunk(for indexing) using print method. So while executing this method if we disable script through ui, it does not index any event to splunk and program is immediately terminated. 

For example: We have 5 events to be indexed. So the for loop should execute print 5 times. Now, suppose it has executed it 2 times and now we disable the script through UI. Then the script will be terminated immediately and the two events which were sent using print function will also not be indexed.

Is it expected behaviour and how we could handle such cases gracefully?


My code is like this:

 

def stream_to_splunk(self, data):
        for event in data:
            jsonData = json.dumps({"sourceType": self.sourceType, "event": event})
            print(jsonData)

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 07:01 AM

I cannot recall how this has implemented, but my gut feelings is that this is how it has planned to working. I think that there is some buffering on sending events to splunk and when you are "stopping" it before it has finished it don't sent any events as it has just terminated and all buffers are cleared.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...