Getting Data In

How do you enable debug logging for scripted input

kbecker
Communicator

I am trying to debug a scripted input that isn't running when it should and I want to enable debug logging. When I look at log.cfg there are about 40 settings under splunkd, which one(s) needs to be changed enable this logging? On a side note I stopped splunk and started with the debug flag (service start splunk --debug), but this didn't seem to do anything.

Universal Forwarder
4.2.2
Build 101277

Thanks for any assistance...

Tags (1)

wrangler2x
Motivator

Have a look at https://answers.splunk.com/answers/9917/how-to-debug-scripts-execution.html

Besides setting it through System settings » System logging » ExecProcessor, you can also turn this on at the command line thusly:

Turn debug on:

    `$ splunk set log-level ExecProcessor -level DEBUG`

Set it back:

    `$ splunk set log-level ExecProcessor -level INFO`

See what it is set to:

    `$ splunk show log-level ExecProcessor`

I can use the splunk command at the command line anywhere because I have this in my .bashrc:

    alias splunk=/opt/splunk/bin/splunk
0 Karma

dwaddle
SplunkTrust
SplunkTrust

This is relevant in terms of setting the actual debug setting -- http://splunk-base.splunk.com/answers/33942/how-can-i-change-the-debug-level-on-a-universal-forwarde...

Some of the logging objects that would seem to be relevant (simply based on scanning them by name) would be:

/server/logger/ScriptRunner
/server/logger/script
/server/logger/SchedulerLauncherProcessor
/server/logger/ProcessRunner
/server/logger/ProcessTracker
/server/logger/ExecProcessor
/server/logger/CronScheduler

I would probably try experimenting with each of these in turn to see which combination gives you the debug output you need. The nice thing about enabling these as REST calls is that you don't have to restart splunkd inbetween. But, these settings are not persisted - they'll be undone when you do restart splunkd.

dwaddle
SplunkTrust
SplunkTrust

That is correct. These are all REST logging config endpoints. I would not expect them to appear in log.cfg.

0 Karma

kbecker
Communicator

This is via the Rest API. I don't see any of these in the log.cfg config file.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...