- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Why did Windows UF stopped running scripted inputs...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why did Windows UF stopped running scripted inputs from DS?
Hello,
Thank you for taking the time to consider my question/situation. I am working on removing static deploymentclient.conf configurations (located on endpoints under $SPLUNK_HOME/etc/system/local) in my organization in favor of using app-based configurations for this, which are sent from the existing deployment server.
Initially I had no issues removing the existing deploymentclienttest.conf file within /etc/system/local on the deployment client using a windows batch file (.bat) stored under the /etc/deployment-apps/<appName>/bin/<nameOfRemovalscript>.bat. The contents of the bat file are shown below:
del "C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclienttest.conf"
The 'inputs.conf' that was stored in the same custom app under the local/ directory is as shown below:
[script://C:\Program Files\SplunkUniversalForwarder\etc\apps\<nameofApp>\bin\<replaceDeploymentClient>.bat]
interval = -1
source = replaceDeploymentClient
sourcetype = scriptedInput
index = _internal
disabled = 0
However since I did this, my workstation no longer actually runs any scripts (I've tested .bat and .cmd scripts, no python or ps1) I've tried referring to the script using both absolute (shown above) and relative file paths, as well as storing the .bat file within <appname>/bin/scripts/ incase that was something that was needed, but it wasn't configured that way when I got it to work the first time.
My question is essentially this: what would cause a UF to just not be able to run scripts deployed by the DS anymore? If I go into the app and manually run the script it removes the files and does whatever other commands I entered just fine, so what gives? I'm beginning to think this is a bug, but I still have hope that this is just the result of a bad config one place or another.
Please advise on any further troubleshooting I can do. I should note that within Splunkd.log on the UF it says that the script has been scheduled to run whenever I deploy it with "restart splunkd" enabled for the app, but even that doesn't seem to do the trick.
Any help is appreciated, and thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
i'm actually on the same task and have an issue too. maybe we could help each other.
my issue is, my batch file cannot delete %SPLUNK_HOME%\etc\system\local\deploymentclient.conf.
splunkd.log on the client says:
04-08-2022 11:15:59.383 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\PBNL_DSconfig\bin\deleteDSconfig.bat"" The system cannot find the path specified.
do you use %SPLUNK_HOME% in your delete script or the full path?
and a question to your app: you have a new deploymentclient.conf in your app?
i know, sounds stupid, but you never know 😉
p.s. on my linux clients the script worked. of course with / instead of \ and the name of the sript is .sh not .bat
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
