Getting Data In

Why is my script exiting with code 1 on enterprise security app when I run a script action?

OBsecurity
Explorer

Hello Folks.
I've created a script that should initiate 'HIPCHAT' messaging application api's.
While running the script (on the es machine) via cli it works fine. After 3 days of workarounds - ES 'run a script' action runs the script and fails with exit code 1 no matter what I've tried.

This is the command for the api.

/usr/bin/curl -H 'Content-Type: application/json' -X 'POST' -d '{"message_format": "text", "message": "Threat - hipchat - Rule"}' 'https://api.hipchat.com/v2/room/4415200/notification?auth_token=mytoken' 

this is the script:

\#!/bin/bash 

ROOM_ID=4415200 
AUTH_TOKEN=mytoken


curl="'""Content-Type: application/json""'" 
echo curl=$curl >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

post="'""POST""'" 
echo post=$post >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 


MESSAGE="'""{\"message_format\": \"text\", \"message\": \"$4\"}""'" 
echo message=$MESSAGE >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

url="'""https://api.hipchat.com/v2/room/4415200/notification?auth_token=mytoken""'" 
echo url=$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 



echo curl -H $curl \ 
-X $post \ 
-d $MESSAGE \ 
$url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 


echo curl_exit_code = $? >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

Workarounds

  1. tried to run a script with a single command row.
  2. tried to build the command with\without args.

please help 🙂
Thanks!

0 Karma

jeanyvesnolen
Path Finder

You can change to

 \#!/bin/bash 

To

#!/bin/bash 

And

 echo curl -H $curl \ 
 -X $post \ 
 -d $MESSAGE \ 
 $url >> "/opt/splunk/bin/scripts/splunk-hiptest.out" 

Should be

curl -H $curl \
 -X $post \ 
 -d $MESSAGE \ 
-o "/opt/splunk/bin/scripts/splunk-hiptest.out" \
 $url
curl_exit_code=$?
echo $curl_exit_code >> /opt/splunk/bin/scripts/splunk-hiptest.out
exit $curl_exit_code
0 Karma

OBsecurity
Explorer

My bad for not pointing this...
1. in my origin script /bin/bash is as expected (without )
2. curl command is not 'echo'ed. i forgot to remove it while copy-paste here.

sorry.
anyway, you actually see -o output while splunk runs the script.

any other ideas what is the BIG diff between splunk and cli?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...