Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Capture data from scripted input

tsheets13
Communicator
‎01-02-2020 07:09 AM

I'm trying to so a simple ps for ssh connections from a specific user. I have created a python script

! /usr/bin/python

import os
os.system("ps -ef|grep 'sshd: myuser'|wc -l")

I've configured the script in inputs.conf

[script://$SPLUNK_HOME/etc/apps/CheckSSH/bin/chkssh.py]
disabled = false
index = testing
interval = 30 #frequency to run the script, in seconds
source = ssh_myuser
sourcetype = ssh_myuser

However, when I search for "sourcetype=ssh_myuser" I get no results.

ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tsheets13
Communicator
‎01-02-2020 09:18 AM

Sure enough, it didn't like the comment in the interval declaration in inputs.conf.
Working great now. Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tsheets13
Communicator
‎01-02-2020 09:18 AM

Sure enough, it didn't like the comment in the interval declaration in inputs.conf.
Working great now. Thanks

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-02-2020 11:04 AM

@tsheets13 I have converted your comment to answer. Please accept the same to mark this question as answered and assist others facing similar issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mydog8it
Builder
‎01-02-2020 07:32 AM

Search for errors in the _internal Splunk logs:

index=_internal error chkssh.py

If there are no logs in _internal for the script you can also check the local logs on the machine running the script:

$SPLUNK_HOME/var/log/splunk/

On the host running the script, have you verified connectivity to the Splunk endpoint? Firewalls can be brutal.

If you have some more troubleshooting data, please share.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...