Reporting

Why did my saved search display error "exited with status code: 1"?

skuma30
New Member

One of my saved searched exited without proper information and getting this error message in the splunkd.log.

03-20-2017 10:22:32.054 -0500 ERROR script - sid:rt_scheduler__nobody_TW9uc2FudG8tTW9uaXRvcmluZy1TZWxmU2VydmljZQ__RMD539622b545a012fbd_at_1489931706_5897.76 command="runshellscript", Script: /opt/splunk/etc/apps/appname/bin/scripts/customappname.py exited with status code: 1

Can anyone have any idea please help me out.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Seems like your saved search ran fine but the alert action script customappname.py failed. I would check python.log file for more details on the error.

0 Karma

a_salikov
Path Finder

Hello, skuma30

Could you solve this problem? If you solved, can you share your solution, because I have the same problem.

Thanks!

0 Karma

skuma30
New Member

Somesoni2,

below is the script that I ran in the .py file.

!/usr/bin/python

import gzip
import csv
import sys
import os
import subprocess
import splunklib.client as client
import collections
import json
import ConfigParser
from ConfigParser import SafeConfigParser

parser = SafeConfigParser()
parser.read('/opt/splunk/etc/filename.ini')

HOST = parser.get('environment','HOST')
PORT = parser.get('environment','PORT')
USERNAME = parser.get('environment','USERNAME')
PASSWORD = parser.get('environment','PASSWORD')

def post(event):
print "connecting\n"
service = client.connect(
host=HOST,
port=PORT,
username=USERNAME,
password=PASSWORD)
index = service.indexes['xyz']
index.submit(event, sourcetype='ABC')

with open('/tmp/customappname.log', 'a') as f:
print>>f, sys.argv
print sys.argv

event = {}
f = gzip.GzipFile(sys.argv[8])
r = csv.DictReader(f)
for i in r:
for key in i:
if key == "key":
x = str(i[key])
x = x.replace(" ", "")
event[key] = x
elif key == "msg":
event[key] = i[key]
elif key == "severity":
event[key] = i[key]
elif key == 'status_defg':
st = 'status'
event[st] = i[key]
elif key == "_time":
event[key] = i[key]
elif key == "support_team":
event[key] = i[key]
elif key == "auto_close":
event[key] = i[key]

print 'event after processing\n', event

ju_event = json.dumps(event)

print ju_event

raw_input("Hello")

post(ju_event)
0 Karma

skuma30
New Member

this is the custom script I ran but it is throwing the error please let me know what you can help me

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Often that RC 1 is an error in the python script. I've seen at least 3 instances here. The following link is one of them, and gives some suggestions for debugging.

https://answers.splunk.com/answers/189517/why-am-i-getting-error-code-1-for-my-python-script.html

Also, the "rt_scheduler__nobody" jumps out at me. Make sure that your script execution is properly owned, and that the owner has all the authority it needs.

0 Karma

skuma30
New Member

DalJeanis,

Thank you for the reply but here I'm searching for the command="runshellscript" but I cannot find in the .py file.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...