Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sys.stderr Not logging to splunkd

Drainy
Champion
‎09-27-2011 06:22 AM

Following on from http://splunk-base.splunk.com/answers/30462/best-practice-logging-script-runtime-results I have been having difficulties implementing a suggestion.

Quick summary, I am building a custom search but I keep enountering problems along the way. At the moment I am trying to log issues as I go along but I cannot get any logging import or sys.stderr to work. Logging outputs nothing to python.log (permissions are all fine) and using stderr isn't outputting anything to splunkd.log, even when the script is working and running through from start to finish.

I would appreciate any ideas as I cannot get my head around what is going on with it, I just need some feedback to find other problems!

Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-27-2011 12:28 PM

I think I can clear this up for you. Standard error (stderr) gets logged to the _internal index ONLY for scripted inputs--which are used to feed some kind of custom data into Splunk. It sounds like you are creating a custom search script, which is the mechanism used to inject custom code/logic into a search. (There are also external lookup commands which can also be python scripts, and alert triggered scripts which can also be written in Python.) These are all used for different situations, but yet do share some fairly common themes. But I'll not go into all of that now....

If you are trying to create a custom search command, then the easiest approach I'd suggest adding the following code to the top of your python script:

import logging as logger
logger.basicConfig(level=logger.INFO, format='%(asctime)s %(levelname)s %(message)s',
    filename=os.path.join(os.environ['SPLUNK_HOME'],'var','log','splunk','NameOfMyCustomSearchScript.log'),
    filemode='a')

(You can also use "python.log" if you want, there's nothing stopping you; but you may want to make sure that you use the same format string as the other processes that write to that log.)

Then simply change any sys.stderr.write() calls to logger.info() or logger.error() or whatever severity you want.

Hope that helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎09-27-2011 12:28 PM

I think I can clear this up for you. Standard error (stderr) gets logged to the _internal index ONLY for scripted inputs--which are used to feed some kind of custom data into Splunk. It sounds like you are creating a custom search script, which is the mechanism used to inject custom code/logic into a search. (There are also external lookup commands which can also be python scripts, and alert triggered scripts which can also be written in Python.) These are all used for different situations, but yet do share some fairly common themes. But I'll not go into all of that now....

If you are trying to create a custom search command, then the easiest approach I'd suggest adding the following code to the top of your python script:

import logging as logger
logger.basicConfig(level=logger.INFO, format='%(asctime)s %(levelname)s %(message)s',
    filename=os.path.join(os.environ['SPLUNK_HOME'],'var','log','splunk','NameOfMyCustomSearchScript.log'),
    filemode='a')

(You can also use "python.log" if you want, there's nothing stopping you; but you may want to make sure that you use the same format string as the other processes that write to that log.)

Then simply change any sys.stderr.write() calls to logger.info() or logger.error() or whatever severity you want.

Hope that helps.

Reply
Solved! Jump to solution

christopherwern
New Member
‎06-23-2017 12:51 AM

Hello Lowell,

thank you for that proposal. I tried that aswell, but it wont work for my script.
It just skips the logging part in my script without displaying any error.

Maybe you can help me out of this?

Kind regards,
Christopher

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎09-27-2011 12:45 PM

Thanks! That clears that up, I think I made assumptions along the way that anything python was handled by the interpreter in the same way so I didn't clearly specify between if I was doing custom searches or scripts. I will try this tomorrow but it certainly explains my results

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...