Reporting

Script not triggered with complex wildcard search

linu1988
Champion

Hello All,
i have been struggling to find the reason why sometimes the scripts are not triggered when i put some wildcards for filtering search. My search contains many sub searches to be able to get all the information with append statements.

sample:
Working scenario:
index=dummy "x\.y\.z" OR "x\.y" OR "v.x.y.z.*IO*"

Non-Working
index=dummy "x\.y\.z" OR "x\.y" OR "v.x.y.z*.*.IO*"

it doesn't trigger the script in the second. Any setting which could help me in this? I have inspected the job not able to get any error or hint. No errors in python.log or splunkd.log. Am using splunk v5.0.1

Thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi linu1988,

if this is scripted inputs Splunk does not care about the content of the script, it will fire it at any given time....and maybe this is your problem time. If you run your script too frequent Splunk can get some ugly results back if the scripts have the same name. Reduce the interval the script runs. Use any kind of script logging option you have, like output the start time, result and end time into a file outside of Splunk and check this file.

I also had this problem once, so I'm pretty sure this is not a Splunk problem 😉

happy debugging ...

cheers, MuS

linu1988
Champion

This is occurring in splunk 6 as well, It doesn't work with long complex splunk queries. Here as well i have to do it using Macro.

0 Karma

MuS
SplunkTrust
SplunkTrust

I mentioned earlier:
' what are you doing exactly' ....

Lets take this offline and I'll push your contact me button so you can mail me 😉

0 Karma

linu1988
Champion

i mentioned earlier, the script is not getting triggered at all. when it gets triggered it actually works. This is depending on the above search i mentioned. With complex searches it doesn't trigger the script at all.

0 Karma

MuS
SplunkTrust
SplunkTrust

then replace your script with any working like the sendemail.py and see if this is fired. if yes, problem is with your script.

0 Karma

linu1988
Champion

I mentioned earlier, i get all the events for all the searches and get the detailed mail as well. I have been struggling to understand why it is not triggering that .bat file. Any idea on the logic how the script is triggered? may be some bug with wildcard searches or longer search queries. Where else should i check for the reason?

0 Karma

MuS
SplunkTrust
SplunkTrust

Could be that this second search with the more filter criteria causes this problem, because it simply does not find any event?

0 Karma

linu1988
Champion

no it is script which is triggered with a savedsearch. That is not working what ever i do. Manually the bat file runs and it works with some specific search with wildcards. As i mentioned once i include more filtered criteria that doesn't trigger the script. As usual the email alert i get.

0 Karma

MuS
SplunkTrust
SplunkTrust

so what are you doing exactly? this is a scripted input right? what does the script look like you run? what happens if you run this script manully using $SPLUNK_HOME/bin/splunk cmd python <pathtoyourscript>/yourScript ? what happens if you run this script once a hour or every 10 minutes instead of each second?

0 Karma

linu1988
Champion

Hey Mus,after this long i have set up each and every tracing mechanism to validate where the issue lies. But it doesn't trigger the script at all. It sends me the result mail but it simply doesn't trigger until i give some specific filters. if time is the problem i want the ugly result but there is no trigger from the script. Hope you can give some other idea.

e.g bat file contains mkdir folder. it's not even creating that.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...