Refine your search:

sys.stderr Not logging to splunkd

1

Following on from http://splunk-base.splunk.com/answers/30462/best-practice-logging-script-runtime-results I have been having difficulties implementing a suggestion.

Quick summary, I am building a custom search but I keep enountering problems along the way. At the moment I am trying to log issues as I go along but I cannot get any logging import or sys.stderr to work. Logging outputs nothing to python.log (permissions are all fine) and using stderr isn't outputting anything to splunkd.log, even when the script is working and running through from start to finish.

I would appreciate any ideas as I cannot get my head around what is going on with it, I just need some feedback to find other problems!

asked 27 Sep '11, 06:22

Drainy's gravatar image

Drainy
3.2k29
accept rate: 24%

edited 27 Sep '11, 12:28

Lowell's gravatar image

Lowell ♦
9.6k637
One Answer:
oldestnewestmost voted
1

I think I can clear this up for you. Standard error (stderr) gets logged to the _internal index ONLY for scripted inputs--which are used to feed some kind of custom data into Splunk. It sounds like you are creating a custom search script, which is the mechanism used to inject custom code/logic into a search. (There are also external lookup commands which can also be python scripts, and alert triggered scripts which can also be written in Python.) These are all used for different situations, but yet do share some fairly common themes. But I'll not go into all of that now....

If you are trying to create a custom search command, then the easiest approach I'd suggest adding the following code to the top of your python script:

import logging as logger
logger.basicConfig(level=logger.INFO, format='%(asctime)s %(levelname)s %(message)s',
    filename=os.path.join(os.environ['SPLUNK_HOME'],'var','log','splunk','NameOfMyCustomSearchScript.log'),
    filemode='a')

(You can also use "python.log" if you want, there's nothing stopping you; but you may want to make sure that you use the same format string as the other processes that write to that log.)

Then simply change any sys.stderr.write() calls to logger.info() or logger.error() or whatever severity you want.

Hope that helps.

link

answered 27 Sep '11, 12:28

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 27 Sep '11, 12:33

Thanks! That clears that up, I think I made assumptions along the way that anything python was handled by the interpreter in the same way so I didn't clearly specify between if I was doing custom searches or scripts. I will try this tomorrow but it certainly explains my results

(27 Sep '11, 12:45) Drainy
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×87
×39

Asked: 27 Sep '11, 06:22

Seen: 362 times

Last updated: 27 Sep '11, 12:45

Related questions

Custom Python script executes twice?

Best practice to create a custom python endpoint on SplunkWeb not Splunkd?

How to get a custom search script to work

Using Python Script in search in the GUI

Can a custom search script invoke an eval/where expression?

Passing search results to external python script

Custom search script that only produces keys

Pros and Cons: External lookup script vs custom search command?

Shell script won't execute a Python script.

Copyright © 2005-2012 Splunk, Inc. All rights reserved.