I have two searches that both run independently of one another. They both work fine by themselves. Now, I would like the run the second search, if and only if, the first search does NOT return any results. I'm trying to do something like this right now:
<first search> | stats count | where count=0 | <second search>
But that doesn't quite work, the events from are returned, but no others are. What I'd like is for the events from to just be dropped, and the events from to be returned if there were NOT any results for . Has anyone done this before?
... View more
We're using the Splunk App for AWS, and have been doing some customizations to better suit our needs. I've run into a strange problem though. One of the scripts connects to an Amazon S3 bucket in order to download some billing information, but when splunk runs the script automatically as scheduled, it fails to index any data and gives this error:
get_bill.py: Traceback (most recent call last):
get_bill.py: File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/get_bill.py", line 65, in <module>
get_bill.py: a = conn.create_bucket(s3bucket1)
get_bill.py: File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/boto/s3/connection.py", line 432, in create_bucket
get_bill.py: File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/boto/s3/connection.py", line 468, in make_request
get_bill.py: File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/boto/connection.py", line 910, in make_request
get_bill.py: return self._mexe(http_request, sender, override_num_retries)
get_bill.py: File "/opt/splunk/etc/apps/SplunkAppforAWS/bin/boto/connection.py", line 872, in _mexe
get_bill.py: raise e
get_bill.py: socket.error: [Errno 111] Connection refused
But, if I run the script manually on the server, using the following command, it runs perfectly and all the data is printed out:
$SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/SplunkAppforAWS/bin/get_bill.py
Which doesn't make sense to me. Has anyone seen anything like this before?
I know we have been updating our Splunk instances lately, and there have been some network changes that could be affecting this, but I haven't had a chance to see if there is any correlation. I was baffled that when I run the command manually it works, but when splunk tries to do it, it fails.
... View more
The Splunk instance that I work with has several data input scripts. (~30) One of them is scheduled to run hourly, it's cron string looks like this: "0 * * * *" It was working great, but it abruptly stopped running for some reason. The last time it ran, (as determined by the timestamp on it's output files) was June 30th at 11:00pm. I restarted splunk, and it started running again, but I still haven't been able to determine what caused it to stop in the first place.
Because of the timing, I thought it might be an error in my cron string, but everything I have found online says that the string is correct. Has anyone else run into this before? Scripts that abruptly stop running?
... View more