All Apps and Add-ons

Splunk_TA_nix cannot open scripts

sjcoluccio67
Explorer

Hey Everyone,

I installed Splunk_TA_nix on my Ubuntu 16.04.2 server. After enabling some scripts and not seeing any data beng monitored, I checked splunkd.log and I see the following error:

07-03-2018 16:13:04.110 +0100 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu.sh" /bin/sh: 0: Can't open

For some reason the UF cannot of the .sh script files. As shown below, Splunk is the owner of those files and it has execute permissions:

-rwxrwxr-x 1 splunk splunk 3447 Jul 3 15:21 bandwidth.sh*
-rwxrwxr-x 1 splunk splunk 3997 Jul 3 15:21 common.sh*
-rwxrwxr-x 1 splunk splunk 3997 Jul 3 15:21 common.sh*

Does anyone know what is wrong here?

sloshburch
Ultra Champion

This symptom also occurs if Windows line endings got in the way. If you are able to vi the files, you may see some Windows interference on the line endings.

In that case, you can either:

  1. Redeploy the app by downloading again from Splunkbase.
  2. Convert the file's line endings with something like perl -pi -e 's/\r\n/\n/g' filename

Although this could be a larger issue if your deployment server is a Windows machine. In that case, you may have line ending issues more pervasive than those scripts.

0 Karma

sloshburch
Ultra Champion
0 Karma

sloshburch
Ultra Champion

What user is Splunk running as? It could be accidentally not running as 'splunk', the owner of those scripts.

0 Karma

sloshburch
Ultra Champion

Ya, the issue is actually the commands those scripts run. If you run the script manually you'll be able to replicate it. The unix commands those scripts depend on need you to hook them up with the read/execute permissions.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!