Hi asimit, thank you very much, it was a permission issue. I don't know why the user/group for app rest_ta was root/root, once I reset to splunk/splunk it worked. Thanks! ... View more

Hi Will, thanks for the hints. I didn't create a modular input, just a simple Data Inputs > Script in the Web UI, so when I try to run the command you suggested, Splunk says that "Scheme 'script' is not inizialized" (I used 'script' as scheme and script:///opt/splunk/etc/apps/adsmart_summary/bin/getCampaignData.py as stanza name as written in inputs.conf). I think it's the normal behaviour. In metrics.log I found that at some point Splunk got some events from my script, but anything has been written in the index. As I wrote in the other post, my supects are about avg_age and max_age that have negative values: 02-19-2025 10:49:29.584 +0100 INFO Metrics - group=per_source_thruput, series="/opt/splunk/etc/apps/adsmart_summary/bin/getcampaigndata.py", kbps=0.436, eps=0.677, kb=13.525, ev=21, avg_age=-3600.000, max_age=-3600 host = splunkidx01 source = /opt/splunk/var/log/splunk/metrics.log sourcetype = splunkd   Maybe there something about the timestamp of the events, I am still there trying to figure it out. Thanks! ... View more

I am pretty sure that a leave a reply to you yesterday, but I do found it. Anyway, I already tried what you suggest to do, thanks. Looking at metrics.log I found a line that I think demonstrate that splunk in some way get the data (ev=21) but discard it: 02-19-2025 10:49:29.584 +0100 INFO Metrics - group=per_source_thruput, series="/opt/splunk/etc/apps/adsmart_summary/bin/getcampaigndata.py", kbps=0.436, eps=0.677, kb=13.525, ev=21, avg_age=-3600.000, max_age=-3600 host = splunkidx01 source = /opt/splunk/var/log/splunk/metrics.log sourcetype = splunkd Maybe the issue is avg_age and max_age that are negative, so it is something about the timestamp the the script produce for the events. ... View more