Solved: Re: Interval not working on script

hortonew · ‎06-14-2012

We're running a script that's used in the CiscoIPS app to pull event data from our IPS. Initially the interval was set at 1 (should be every 1 second) which was hitting our IPS more than we'd like. We then changed it to 300 (should be every 5 minutes), however after restarting both splunk services, it's still hitting the IPS every second. Any ideas?

andrew_garvin · ‎07-13-2012

With the release of version 1.1.1 of the Cisco IPS app, you can now specify a polling interval in the inputs.conf. Below is an example that causes the script to wait 30 seconds in between polls of the Cisco IPS appliance. You must be running version 1.1.1 or higher to use this additional option at the end of the script. Changing the "interval" underneath the script command will not affect the polling of the IPS.

[script://$SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py "username" "password" "IPS_IP" "30"]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

View solution in original post

andrew_garvin · ‎07-13-2012

With the release of version 1.1.1 of the Cisco IPS app, you can now specify a polling interval in the inputs.conf. Below is an example that causes the script to wait 30 seconds in between polls of the Cisco IPS appliance. You must be running version 1.1.1 or higher to use this additional option at the end of the script. Changing the "interval" underneath the script command will not affect the polling of the IPS.

[script://$SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py "username" "password" "IPS_IP" "30"]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

vsarode · ‎06-05-2023

Hi @andrew_garvin I am facing same issue where I have 2 data poller script in add on. One is getting triggered by interval but other not. I have tried correcting the order of my local/input.conf still not working expected. Can you please suggest what could be wrong ? Below is my config for the script which is having issue.

[digital_shadows_threat_intelligence://tes_IOC]
global_account = vitthal
interval = 90
ingesting_iocs = 1
since = 2023-06-05T05:42:56Z
threat_intelligence_updates = 0
disabled = 1

hortonew · ‎07-14-2012

Worked like a champ - thanks for the update.

hortonew · ‎07-14-2012

Thanks! I'll be sure to upgrade and give it a shot.

Ayn · ‎06-14-2012

The script used by the Cisco IPS addon is actually running indefinitely once it's been started, so it won't matter what interval you will set for it to run. The timing is performed internally instead. I had a quick look at the script (get_ips_feed.py) and it seems there is no pause between its requests at all - once it's done with one connection it just keeps hammering away with the next.

You could modify the script to sleep at the end of its while loop, one suggestion would be to add a time.sleep(300) after ipsLogger.info(syslog_msg) (line 231).

Ayn · ‎06-15-2012

Did you pay attention to the indentation level when you modified the script? Python interprets different indentation levels differently. The time.sleep line should be one level "up" (= less indentation) than the ipsLogger.info line. This should make the script sleep for 300 seconds after each run of its main loop.

You don't need to restart Splunk, scripts are called directly each time they're run rather than being kept in memory.

hortonew · ‎06-15-2012

It didn't affect the script at all. I tried restarting the entire server after implementing it, in case it was still running in memory, but no luck. Any other ideas?

hortonew · ‎06-14-2012

Thanks for the reply. I'll give it a shot and let you know how it goes.

Why is interval not working on script?

indexer

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases