Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

setup.xml: problems with windows scripted input format

mw
Splunk Employee
Splunk Employee
‎06-20-2011 05:34 AM

I have a setup.xml which uses the following format for scripted inputs on Unix systems:

# inputs.conf
[script://./bin/nmap.sh]

# setup.xml
<block title="Ping Scan" endpoint="admin/script" entity=".%252Fbin%252Fnmap.sh">
  ...
</block>

That works just fine, though I'll admit that I'm not clear on what the "25" part of %252F represents (I realize %2F is a "/" character, and I think %25 is a "%" character?). Anyways, I'm having some problems flipping this around for Windows. What should the "encoded" script path look like? The following doesn't work:

# inputs.conf
[script://.\bin\nmap.cmd]

# setup.xml
<block title="Ping Scan" endpoint="admin/script" entity=".%5Cbin%5Cnmap.cmd">
  ...
</block>

The input stanza works just fine for me. The setup.xml block displays correctly on the setup page as is, but if I try to save it I get an error:

Encountered the following error while trying to update: In handler 'localapps': Cannot edit input &quot;.binnmap.cmd&quot;, no input exists with that name

The error shows no backslash characters, so I'm wondering if they're getting chewed up on the save operation, or just in displaying the error. In any case, I've tried a few variations on the block, but if I move away from just the "%5C" the setup page won't display at all saying that it can't be found or something similar:

<block title="Ping Scan" endpoint="admin/script" entity=".%255Cbin%255Cnmap.cmd">
<block title="Ping Scan" endpoint="admin/script" entity=".%5C5Cbin%5C5Cnmap.cmd">

What am I doing wrong here?

Also, as a side note, while it's not such a big deal in this case, it would be awesome if I could use a forward slash in inputs.conf on both Unix and Windows. i.e. why can't the stanza below just work everywhere?

[script://.bin/foo.py]

Tags (1)
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-08-2016 07:43 PM

I have the same exact problem and it's driving me nuts.

One work around is to have a binary for each type of input (win/lin) something like script.win.py and script.lin.py. But now you have the same code in two python files possibly.

Another work around is to use entity=".*script.win.py" mode="bulk". But now it will enable/disable both the windows and linux inputs each time. Side note, having a linux type scripted input enabled doesnt cause any harm.

0 Karma
Reply

splunk_mkhan
Explorer
‎03-10-2017 02:53 AM

did you find any solution?I am facing similar issue
I am trying to update input.conf stanza at windows, it is working fine in linux but giving following error in windows 7.

Encountered the following error while trying to update: In handler 'localapps': Cannot find item for POST arg_name="/admin/script/%24SPLUNK_HOME%5Cetc%5Capps%5Cmy_app%5Cbin%5Cmy_script.py%2015/enabled"

For reference, here are excerpts from inputs.conf and setup.xml:

inputs.conf:

 [script://$SPLUNK_HOME\etc\apps\my_app\bin\my_script.py 15]
      disabled = 0

setup.xml

<block title="my script setting"
             endpoint="admin/script"
             entity="%24SPLUNK_HOME%5Cetc%5Capps%5CiSIGHTPartners_ThreatScape_App%5Cbin%5Cmy_script.py%2015">
     <input field="enabled">
         <label>Enable</label>
         <type>bool</type>
     </input>
 </block>

Any help will be appreciated.
thanks,

0 Karma
Reply

hazekamp
Builder
‎06-20-2011 08:33 PM

I believe the following will work for both unix and windows:

<block title="Ping Scan" endpoint="admin/script" entity=".*bin.*nmap\..*" mode="iter">
...
</block>

Update: It looks like admin/script is interpreting your relative path. For example, on my machine ./bin/nmap.sh translates to /Users/hazekamp/Applications/splunk/etc/system/local/bin/nmap.sh in admin/script.

The wildcarded entity above should be generic enough to match your nmap command.

Reply

mw
Splunk Employee
Splunk Employee
‎06-21-2011 09:47 AM

That seems to work ok enough to allow the setup page to render, but I still get the same error when I attempt to save (on my [script://.\bin\nmap.cmd] input). I'm at a loss. I don't know if I'm being an idiot, or this is some weird bug...

My comment on format for both Unix and Windows was really directed at inputs.conf (i.e. if I have a python input, why do I need to muck around with forward vs. backslash if I've taken the time to code my python to work on any platform) -- it was a bit of a tangent. 🙂

0 Karma
Reply

ziegfried
Influencer
‎06-20-2011 12:02 PM

The easiest way to get the entity for such setup.xml fields is to look at the REST endpoint listing. Just point your browser to https://your-splunk-server:8089/services/data/inputs/script and simply copy the url and take the entity part from it.

Btw. I second the suggestion of being able to specify scripts using forward slashes on Windows.

Update:

In my experience it's better to add scripted inputs by specifying the full path:

[script://$SPLUNK_HOME/etc/apps/myapp/bin/myscript.py]

To illustrate what I was trying to say above:

You can find multiple links (those are links to entities) at the REST page I've mentioned above. For example the link could look like this:

https://localhost:8089/servicesNS/nobody/myapp/admin/script/%24SPLUNK_HOME%5Cetc%5Capps%5Cmyapp%5Cbi...

The entity you have to use in the setup.xml is the part after the last /. ie:

%24SPLUNK_HOME%5Cetc%5Capps%5Cmyapp%5Cbin%5Cmyscript.py
Reply

ziegfried
Influencer
‎06-21-2011 12:14 PM

I've updated the answer. I hope that's understandable now.

0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-21-2011 10:01 AM

Yeah, I'm confused by that. I don't see much at the other url either. Everything I see at those urls starts with $SPLUNK_HOME and the data is in the default index...

0 Karma
Reply

ziegfried
Influencer
‎06-21-2011 12:41 AM

You're using the admin/script endpoint and not any custom setup routine. You should at least see a reference here https://localhost:8089/services/admin/script if your input is configured correctly.

0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-20-2011 06:51 PM

Thanks for the help. I actually don't see many of my scripted inputs at that url. In fact, the only place that I could find a reference is here: https://your-splunk-server:8089/services/apps/local/asset_discovery/setup. However, I'm not sure how reliable that is for Splunk's idea of what the encoded path should be versus what my setup routine has specified...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...