Splunk Dev

Python script won't execute after setting in alerts

crt89
Communicator

Hi Good day,

I was trying to run a python script after a saved search has been executed. I have set it up on alerts settings in the search and reports but the script won't run. I have properly include my python script to $SPLUNK_HOME$/bin/scripts folder and make it executable using chmod. There was no logging in splunkd.log that the alert was executed or any errors that occur.

Thanks

richard_wilhite
Explorer

I was experiencing the same issue as crt89. I worked through all the same steps, as well, and finally found the issue was a relative path reference in my .py script, needed to be an absolute path.

myConfig = ET.parse( 'foo.xml' ).getroot()

Needed to be updated to:

myConfig = ET.parse( '$SPLUNK_HOME/bin/scripts/foo.xml' ).getroot()

I was also running the python script via an .sh script to allow me to use python modules not included by splunk. Again, just as crt89 had outlined.

hughpyle
Engager

When I had this problem, it was because one of the Python modules for my script failed to import.

The Splunk version of Python has its site-packages location in $SPLUNK_HOME/lib/python2.7/site-packages, but I'd installed my various modules into the regular Python. Try from a shell,
python -c 'import site; print(site.getsitepackages()[0])'
versus
$SPLUNK_HOME/bin/splunk cmd python -c 'import site; print(site.getsitepackages()[0])'

One solution is to use easy_install --install-dir /path/to/splunk/site-packages . to specifically install each module that failed.

To debug this sort of thing, it's helpful to edit $SPLUNK_HOME/etc/apps/search/bin/runshellscript.py, and replace the line 'p.communicate(input=stdin_data)' with two lines,

           pipe = p.communicate(input=stdin_data)
           logger.info("result: %s", pipe)

which will log any output (error messages, etc) from your script into the Splunk 'python.log' file.

starcher
SplunkTrust
SplunkTrust

try changing your hash bang path to the one for splunk. Like:

#!/opt/splunk/bin/python

0 Karma

crt89
Communicator

here's what in my run.sh code
#!/bin/bash

SCRIPT_PATH="/opt/splunk/bin/scripts/print.py"
PYTHON="/usr/bin/python"

$PYTHON $SCRIPT_PATH

0 Karma

crt89
Communicator

here's the a sample entry in my python.log

2014-05-29 17:17:09,608 +0800 INFO runshellscript:188 - runshellscript: ['/bin/bash', '/opt/splunk/bin/scripts/run.sh', '1710', 'my search here', 'test_1', 'Saved Search [test_1] number of events(1710)', 'http://localhost:8000/app/smsgt/@go?sid=scheduler__admin__smsgt__RMD53c4ac00ac374c29b_at_1401355020_...', '', '/opt/splunk/var/run/splunk/dispatch/scheduler_adminsmsgt_RMD53c4ac00ac374c29b_at_1401355020_103/results.csv.gz']

0 Karma

linu1988
Champion

pyhton.log will actually show you if the script is triggered or not. If not it will show you the error why! moreover if you are using arguments to take the csv file path for the search double check if it is the right argument. enable logging for your python script to see if it even going inside it or not

0 Karma

crt89
Communicator

Thanks for the reply MuS, there was no error in python.log it just log as normal, and yes my search hit events. I did also try to run a simple script that outputs text into a file and it was successful so I'm kinda stuck here does my python script was the problem or Splunk. Btw what I was trying to do was my saved search outputs results to csv file while my python script parsed this file and output it to another file that later be indexed by Splunk. So I was thinking that run my script as the saved search also run. Also thinking that my script will run after my saved search has completed.

0 Karma

MuS
SplunkTrust
SplunkTrust

any errors in python.log? if you 'replace' your script in the alert action with sending email, do you get this - speaking so does your search hit any events?

0 Karma

crt89
Communicator

Update: I did also create a .sh file that will call my python script. My script was fine running in command line but won't execute while using Splunk alerts. I'm using Centos as my os and Splunk 6.0.3 as base. Anyone would like to help?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...