Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does Splunk scripted input not print data when script is turned off?

sumeet
Engager
‎09-29-2022 10:49 PM

Hello,

I am using python script to read from remote api with pagination. I have one problem while reading data from api, once i started script and it pulls data after that if i disable the script the data does not get printed in splunk though it has passed through print statement.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:43 AM
Maybe I don' understand this right, but when you have disabled input then splunk don't run that script until you are reenabling that input.
Reply

sumeet
Engager
‎09-30-2022 04:06 AM

Hi @isoutamo 


In the below method we are looping through data and sending each event to splunk(for indexing) using print method. So while executing this method if we disable script through ui, it does not index any event to splunk and program is immediately terminated. 

For example: We have 5 events to be indexed. So the for loop should execute print 5 times. Now, suppose it has executed it 2 times and now we disable the script through UI. Then the script will be terminated immediately and the two events which were sent using print function will also not be indexed.

Is it expected behaviour and how we could handle such cases gracefully?


My code is like this:

 

def stream_to_splunk(self, data):
        for event in data:
            jsonData = json.dumps({"sourceType": self.sourceType, "event": event})
            print(jsonData)

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 07:01 AM

I cannot recall how this has implemented, but my gut feelings is that this is how it has planned to working. I think that there is some buffering on sending events to splunk and when you are "stopping" it before it has finished it don't sent any events as it has just terminated and all buffers are cleared.

0 Karma
Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...