"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Scripted Input - How to configure interval for one-shot data streams?
Hi ninjas ;-)
I have a quite tricky question and I'm wondering if this is a bug with the script handling of splunk. I have a scripted input (which is a python script) that opens a tcp server socket (listens on a tcp port). The script generates events and sends them to stdout. The problem is when I restart splunk or disable the scripted input via the manager the python script keeps running. I've tried to configure all interval settings that made sence IMO (-1, 0 and 1) but none of them worked. Once the splunk server is restarted or the input is re-enabled the script crashed because the port is already in use by the previously started script.
before stopping splunk:
$ ps -ef | grep myscript
root 1734 1582 0 21:58 ? 00:00:00 /bin/sh -c python /opt/splunk/etc/apps/myapp/bin/myscript.py
root 1735 1734 0 21:58 ? 00:00:00 python /opt/splunk/etc/apps/myapp/bin/myscript.py
after stopping splunk:
$ ps -ef | grep myscript
root 1735 1 0 21:58 ? 00:00:00 python /opt/splunk/etc/apps/myapp/bin/myscript.py
Is there a way for the python script to detect that it's not attached to the splunk instance anymore? One solution that crossed my mind is to observe the parent process id but I don't like this solution as it will only work on *NIX or at least I haven't figured a way to do it on windows yet.
Any hints greatly appreciated!
Cheers, Siegfried
I have a quite tricky question and I'm wondering if this is a bug with the script handling of splunk. I have a scripted input (which is a python script) that opens a tcp server socket (listens on a tcp port). The script generates events and sends them to stdout. The problem is when I restart splunk or disable the scripted input via the manager the python script keeps running. I've tried to configure all interval settings that made sence IMO (-1, 0 and 1) but none of them worked. Once the splunk server is restarted or the input is re-enabled the script crashed because the port is already in use by the previously started script.
before stopping splunk:
$ ps -ef | grep myscript
root 1734 1582 0 21:58 ? 00:00:00 /bin/sh -c python /opt/splunk/etc/apps/myapp/bin/myscript.py
root 1735 1734 0 21:58 ? 00:00:00 python /opt/splunk/etc/apps/myapp/bin/myscript.py
after stopping splunk:
$ ps -ef | grep myscript
root 1735 1 0 21:58 ? 00:00:00 python /opt/splunk/etc/apps/myapp/bin/myscript.py
Is there a way for the python script to detect that it's not attached to the splunk instance anymore? One solution that crossed my mind is to observe the parent process id but I don't like this solution as it will only work on *NIX or at least I haven't figured a way to do it on windows yet.
Any hints greatly appreciated!
Cheers, Siegfried
Tags: python, scripted-input
Views: 109
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
We've got some data generators we use (internally for demos) as scripted inputs. For example, i have one that generates data for F5's Application Security Manager, so we can demo/develop the F5 app. Its entry in inputs.conf looks like this:
[script://./bin/f5_asm_logger.py]
interval = -1
sourcetype = asm_log
source = /var/log/sample.f5.asm.log
When its running, "ps" shows this:
root 11517 11428 0 Dec15 ? 00:05:21 python /opt/splunk/etc/apps/F5_datagen/bin/f5_asm_logger.py
When splunk is stopped, no python processes are running. It does take my Splunk a while to shut down because i have alot of these scripts running to generate data.
What you're doing should work... without discovering a bug (could be possible).. might you dump the PID to a file in /var/run and check for existence when you start up the script--killing the process if it should exist?
Just some thoughts.
© 2012 Created by Michael Wilde.
