All Apps and Add-ons

msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_app_stream/bin/deploy_splunk_ta_stream.py " stanza="default" status="exited with code 1"

0waste_splunk
Communicator

msg="A script exited abnormally" input="$SPLUNK_HOME/etc/apps/splunk_app_stream/bin/deploy_splunk_ta_stream.py " stanza="default" status="exited with code 1"

Error Message appears once every hour. we have splunk enterprise 6.1.2 and splunk app for stream 6.1.

We don't want to disable "confcheck_script_errors" in Settings --> Data Inputs --> Configuration Checker.
We want permanent solution to this problem.

mdickey_splunk
Splunk Employee
Splunk Employee

This script should only ever be run once by splunkd at startup. If it's running once per hour, there may be a bug in splunkd's scheduler. I recommend filing a (splunkd, not App for Stream) bug report on that.

All it does is copy the files from $SPLUNK_HOME/etc/apps/splunk_app_stream/install/Splunk_TA_stream into $SPLUNK_HOME/etc/apps and $SPLUNK_HOME/etc/deployment-apps, and creates local/inputs.conf files (copied from default/inputs.conf). As a work-around, you could just perform these steps manually and disable the script by setting disabled=1 in splunk_app_stream's inputs.conf file.

It would be interesting to know why it's failing. Are there any other error messages in your $SPLUNK_HOME/var/log/splunk/stream_installer.log or splunkd.log file located in the same directory?

0 Karma

0waste_splunk
Communicator

Hi mdickey_splunk,

I don't see other error in either $SPLUNK_HOME/var/log/splunk/stream_installer.log or splunkd.log.

but one thing i notice in stream_installer.log is some how resetting disable=0 every now and then

 [INFO] /home/splunk/etc/apps/splunk_app_stream/install/Splunk_TA_stream was successfully copied to /home/splunk/etc/apps/Splunk_TA_stream
 [INFO] created config file (disabled=1): /home/splunk/etc/apps/Splunk_TA_stream/local/inputs.conf
 [INFO] /home/splunk/etc/apps/splunk_app_stream/install/Splunk_TA_stream was successfully copied to /home/splunk/etc/deployment-apps/Splunk_TA_stream
 [INFO] created config file (disabled=0): /home/splunk/etc/deployment-apps/Splunk_TA_stream/local/inputs.conf
0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

The log entries you included are part of the install process.. when it copies the Splunk_TA_stream directory. It should only include entries for when you first start splunk, and if you already have Splunk_TA_stream installed (and running latest version), it should just have entires saying that it's doing nothing. It should not update Splunk_TA_stream if it's already installed and the latest version (as determined by splunk_app_stream version). Would you send a larger snippet from that log file?

0 Karma

0waste_splunk
Communicator
 09:05:15,059 [INFO] Splunk App for Stream Dependency Manager: Exiting...
 10:41:08,811 [INFO] Splunk App for Stream Dependency Manager: Starting...
 10:34:13,787 [INFO] Splunk App for Stream Dependency Manager: Starting...
 16:31:39,409 [INFO] Splunk App for Stream Dependency Manager: Starting...
 09:14:56,112 [INFO] Splunk App for Stream Dependency Manager: Starting...
 09:36:19,720 [INFO] Splunk App for Stream Dependency Manager: Starting...
 13:25:15,743 [INFO] Splunk App for Stream Dependency Manager: Starting...
 15:05:01,399 [INFO] Splunk App for Stream Dependency Manager: Starting...
 16:25:17,324 [INFO] Splunk App for Stream Dependency Manager: Starting...
 10:22:36,261 [INFO] Splunk App for Stream Dependency Manager: Starting...
 15:30:43,211 [INFO] Splunk App for Stream Dependency Manager: Starting...
 14:20:34,908 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:06:50,844 [INFO] Splunk App for Stream Dependency Manager: Starting...
 12:18:49,808 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:52:13,863 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:54:49,352 [INFO] Splunk App for Stream Dependency Manager: Starting...
 11:56:50,331 [INFO] Splunk App for Stream Dependency Manager: Starting...
 15:48:02,104 [INFO] Splunk App for Stream Dependency Manager: Starting...
 12:10:38,010 [INFO] Splunk App for Stream Dependency Manager: Starting...
0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

Do you have some non-standard configuration of Splunkd WRT it's REST API endpoints? Non-standard port or something? Maybe a firewall? Every "Starting.." entry should have a corresponding "Exiting" entry and additional entries in between saying what it's doing. The only way I can imagine it only having "Starting..." entries if it's failing to query these endpoints.

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

On second thought, I'm guess splunkd may be trying to re-run it every hour only because it is failing. That may be expected behavior.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...