Security

Error when running CLI remotely

sieutruc
Contributor

hello,

When i run CLI remotely to indexer as:

splunk edit exec "c:\Program Files\Splunk\etc\system\bin\memory.bat" -interval 50 -uri https:\\192.168.64.4:8089

I got error saying: "in handle 'script': cannot edit input "c:\Program Files\Splunk\etc\system\bin\memory.bat", no input exist with that name"

But i have configured inputs.conf in indexer as below:

inputs.conf

  [script://$SPLUNK_HOME\etc\system\bin\memory.bat]
    interval = 80
    index = default
    disabled = 0

How can i solve that ?

Another is when i change script's interval, is it triggered right away or waiting for the end of first time of new interval ?

Tags (1)

bmacias84
Champion

@sieutruc, Ok I think I figured this one out. I've tested this on Splunk 4.3.3 with Linux to Windows and vice versa. Apparrently if you use single or double quotes ( ' or ") around the source in add or edit within exec the CLI bombs out remotely and locally. And you add recieve the following error even though the path is legit.


#ERROR producing commands
splunk add exec "C:/Program Files/SplunkUniversalForwarder/etc/system/bin/test.bat" -interval 50
OR
splunk add exec "$SPLUNK_HOME/etc/system/bin/test.bat" -interval 50
OR
splunk add exec '$SPLUNK_HOME\etc\system\bin\test.bat' -interval 50
OR
splunk add exec "C:\Program Files\SplunkUniversalForwarder\etc\system\bin\test.bat" -interval 50
OR
splunk edit exec '$SPLUNK_HOME\etc\system\bin\test.bat' -interval 80


#ERRORS in splunkd.log
ERROR FrameworkUtils - Incorrect path to script: C:\$SPLUNK_HOME\etc\system\bin\test.bat. Script must be in a bin subdirectory in $SPLUNK_HOME.
OR
ERROR FrameworkUtils - Incorrect path to script: C:\Program Files\SplunkUniversalForwarder\etc\system\bin\test.bat. Script must be in a bin subdirectory in $SPLUNK_HOME.

Working CLI Commands

#WORKING STRINGS
splunk add exec $SPLUNK_HOME\etc\system\bin\test2.bat -interval 60 -uri https://xxxxxx.xxx.167:8089
Configuration updated: '$SPLUNK_HOME\etc\system\bin\test2.bat' has been added for execution.
OR
splunk edit exec $SPLUNK_HOME\etc\system\bin\test2.bat -interval 80 -uri https://xxx.xxx.xxx.167:8089
Configuration updated for '$SPLUNK_HOME\etc\system\bin\test2.bat'.

This seems like a bug to me. If you cant quote a parameter how do you handle spaces?

Hope this helps.

0 Karma

bmacias84
Champion

Not sure. I am using REDHAT and 2k8 Server Core.

You could try passing the Windows Program Files short path.
C:\PROGRA~1\splunk\etc\system\bin\yourbat.bat .Or within a sh script set your $SPLUNK_HOME temporarily to C:\Program Files\Splunk\.

You might need to open a case with support at this point. Sorry I couldnt be of more help.

0 Karma

sieutruc
Contributor

i don't know , but i executed:
splunk edit exec "c:\Program Files\Splunk\etc\system\bin\memory.bat" -interval 50 -uri https:\\192.168.64.4:8089

from window 7 to windows 2003, it run smoothly .

But i run your successful command:

splunk add exec $SPLUNK_HOME\etc\system\bin\test2.bat -interval 60 -uri https://xxxxxx.xxx.167:8089

i got an error:10-26-2012 01:37:43.196 +0200 ERROR AdminHandler:Exec - The file "C:\Program Files\Splunk\bin\scripts\/opt/splunketcsystembintets.bat" does not exist. (from Opensuse to windows 2003)

it's so weird,how Splunk handle parameter on linux ?

0 Karma

sieutruc
Contributor

$SPLUNK_HOME is just defined global variable, so substituting it into that command doesn't get better.

Why the set of CLI of Splunk is so limited. It is possible to use Splunk web to active/deactive scripted input whenever need (this isn't documented in any document i believe), as well as changing interval, sourcetype... Maybe the document of this set of CLI doesn't completely be done.

0 Karma

Ayn
Legend

Not very familiar with editing this stuff from the CLI, but it might be possible that Splunk is matching on the literal $SPLUNK_HOME string, not what it happens to expand to. Did you try using $SPLUNK_HOME in your command?

0 Karma

sieutruc
Contributor

i tried all possible separators /, //, \,\\ , They didn't work. I run CLI from Windows to Windows for testing.

0 Karma

bmacias84
Champion

So is your CLI from Linux to Windows, Linux to Linux, or Windows to Linux? Guessing it Linux to Windows.

Windows will interperate '/' same as '\'. Try replacing with the forward slash. Else I look into it some more, let me know.

0 Karma

Yorokobi
SplunkTrust
SplunkTrust

Given that the output you're seeing has the backslashes removed, my best guess is that you'll need to use double back slashes in the path, probably on the CLI rather than in inputs.conf.

Eg: "C:\\Program Files\\Splunk\\etc\\system\\bin\\memory.bat"

Alternatively, use forward slashes.

0 Karma

sieutruc
Contributor

Thanks, but i did but it gives the same error , have you ever done it yet ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...