What four files does it not list?
The files it does not see include.
htmltree
jwhois
mech-dump
xpath
The first four, last four
Well this depends on how you sort them, name, modification time, inode, etc.. I don't find any pattern.
Does it always skip the SAME four?
Yes it always skip the SAME four. For testing I added another binary called test and it did not appear either
If the scripts are short and simple enough, pasting them in may help, too.
It is a python script, very similar to existing external_lookup.py with little tweaks to add.
The original script was for doing whoislookup, but when it did not work I wrote simple test scripts as below:
vi ls_lookup.py
#!/usr/bin/env python
from subprocess import PIPE, Popen
import os
import csv
import sys
import json
def listfiles(ip):
try:
p1 = Popen(["ls", "/home/xxx/bin64"],stdout=PIPE,stderr=PIPE)
(out,err) = p1.communicate()
if out:
return out
else:
return str(err)
except Exception as e:
return e
def main():
if len(sys.argv) !=3:
print "Usage: python ls_lookup.py [ip_field] [ls_output]"
sys.exit(1)
ip_field = sys.argv[1]
ls_output = sys.argv[2]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[ip_field] and result[ls_output]:
w.writerow(result)
if result[ip_field]:
result[ls_output] = listfiles(result[ip_field])
w.writerow(result)
main()
Test command:
printf "clientip,lscheck\n10.0.0.0n" | /splunk/bin/python ls_lookup.py clientip lscheck
The above test command list all the files perfectly fine.
Now when I do this in the Splunk UI:
index=test sourcetype=stest | lookup ls_lookup clientip as ip | table ip, lscheck
In the lscheck field I see list of files, but it does not list the above mentioned four files 😞
"No such file or directory"
If I change the popen in above script to "p1 = Popen(["ls", "/home/xxx/bin64/jwhois"],stdout=PIPE,stderr=PIPE)", it gives an error 'No such file or directory' in the lscheck field, for obvious reason 🙂
... View more