All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to avoid ExecProcessor rescheduling?

denissotoacc
Path Finder
‎07-20-2022 12:32 PM

I've configured an inputs.conf to run a single .bat script:

 

 

[script://.\bin\scripts\prueba_py.bat]
disabled = 0
_TCP_ROUTING = splunkcloud_prod
index = ldcsap
sourcetype = _json
interval = 0-59/5 * * * *

 

 


My batch script prueba_py.bat just execute a python script called prueba_py.py:

 

 

@echo off
python.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\scripts\prueba_py.py"
exit /b 0

 

 


And finally my python script only creates a dictionary, convert it to json and print it:

 

 

import json

person = {"name":"Denis","surname":"Soto","age":"34"}
print(json.dumps(person))
exit(0)

 

 

Assuming the inputs.conf stanza, it should be executed every 5 minutes, using the TCP_ROUTING and indexing the data to "ldcsap" index. Well... that's not happening.

I'm receiving the following INFO alert in splunkd.log, I cannot find the error.

07-20-2022 16:30:00.033 -0300 INFO ExecProcessor [6652 ExecProcessor] - setting reschedule_ms=299967, for
command="C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\scripts\prueba_py.bat"

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2022 01:22 PM

The INFO message is saying the script will run again in 5 minutes (minus 33 ms).  That's what you want, right?

If the scripted input is not doing what is expected then you should check the splunkd and python logs for messages that might explain why it is failing.

I suspect the problem stems from Splunk Universal Forwarders not having a Python interpreter (unlike heavy forwarders).  The version of Python installed won't have the Splunk-specific modules that automatically index the script's output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎07-20-2022 11:31 PM

Exactly, you could use Heavy Forwarder and use python script directly.

Printing from an external python interpreter will not index the data.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...