Re: Splunk logs are not generating , we troublesho...

Kaushikkatta03 · ‎02-02-2018

Hi team ,

splunk logs are not getting in , we done basic troubleshoot but still logs are not getting generated

[splunk@heavyforwarder3 sourcefire]$ cd log
[splunk@heavyforwarder3 log]$ ls -ltr
total 0

we have the confiugration file for estreamer.conf set as

[script://./bin/client_check.py]
disabled = 0
source = eStreamer
sourcetype = sourcefire:network:client_check
index = intrusion
interval = 60

[monitor://$SPLUNK_HOME/etc/apps/sourcefire/log]
disabled = 0
source = eStreamer
sourcetype = sourcefire:network:ids
index = intrusion
crcSalt =

when i had tried running
index="_internal" host="heavyforwarder3" "sourcefire" , we got this excepotion
02-02-2018 05:35:36.074 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/sourcefire/bin/client_check.py

how can we troubleshoot more on this.

DEAD_BEEF · ‎02-02-2018

From the inputs.conf doc, it says that when using a script, the script must be located in a specific directory, which doesn't appear to be the case in your setup:

[script://<cmd>]
* The <cmd> must reside in one of the following directories:
  * $SPLUNK_HOME/etc/system/bin/
  * $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/
  * $SPLUNK_HOME/bin/scripts/

The monitor statement should use the full absolute path, not the $SPLUNK_HOME variable within it, again from the docs:

[monitor://<path>]
* You must specify the input type and then the path, so put three slashes in
  your path if you are starting at the root on *nix systems (to include the
  slash that indicates an absolute path).

Try changings these to follow the spec and then see what you get after.

Splunk logs are not generating , we troubleshooted by restarting the services by doing basic troubleshoot but still logs are not getting in

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024