Troubleshoot script errors in Splunk Enterprise Security
Troubleshoot script errors from modular inputs in Splunk Enterprise Security. If you see a message about a script exiting abnormally or a script that is in an unknown state, investigate the script and stanza that produced the error.
Audit - Script Errors search replaces a configuration check script and creates Splunk messages to warn about non-zero exit codes that result from scripts in your Splunk deployment.
|Possible root cause||Verification||Mitigation|
|The script did not run successfully.||Review the log files for the script. Run the script manually to see if it runs successfully, and review the exit code that results.||Address the reasons why the script exited with a non-zero exit code.|
|The script ran successfully with a non-zero exit code.||Run the script manually to see if it runs successfully, and review the exit code that results.||Include the script in the suppression for the search so that it does not display messages for this script.|
|The script is in an unknown state. There is a stop time for the script, but no exit status or start time.||Check the modular input settings to confirm they are correct.||Correct the modular input settings.|
See Configure a script for an alert action in the Splunk Enterprise Alerting Manual and What Splunk software logs about itself in the Splunk Enterprise Troubleshooting Manual.
Prevent messages about specific scripts
If needed, you can prevent messages about specific scripts by modifying the match syntax in the
If you had locally-defined script suppression regex in the
[configuration_check://confcheck_script_errors] stanza, you can replicate it in the macro. For example, the suppression stanza includes the following regular expression:
suppress = ((streamfwd|splunk-(wmi\.path|MonitorNoHandle\.exe|winevtlog\.exe|netmon\.exe|perfmon\.exe|regmon\.exe|winprintmon\.exe|admon\.exe)).*exited with code 1)
The macro replicates this suppression with the following definition:
match(script, "(streamfwd|splunk-(wmi\.path|MonitorNoHandle\.exe|winevtlog\.exe|netmon\.exe|perfmon\.exe|regmon\.exe|winprintmon\.exe|admon\.exe|powershell\.exe))") AND exit_status=1
To reduce the frequency of messages about specific scripts rather than prevent them from appearing, throttle the alerts. Set up alert throttling for the
Audit - Script Errors search based on the necessary values, such as the
- For Splunk Enterprise, see Throttle alerts in the Alerting Manual.
- For Splunk Cloud Platform, see Throttle alerts in the Alerting Manual.
Disable the configuration checker
To stop the messages by disabling the configuration checks, such as
confcheck_app_exports.py, do the following:
- On the Enterprise Security menu bar, select Configure > General > Configuration Checker.
- Find the name of the script and click Disable.
Though in the case of
confcheck_app_exports.py specifically, see Export apps globally to verify if you want to export the apps or disable the configuration checker.
Export apps globally
Splunk Enterprise Security no longer selectively imports apps and add-ons based on the name of the app or add-on. Knowledge objects in apps and add-ons that are installed on the same search head as Splunk Enterprise Security and exported to other apps or globally are visible in Splunk Enterprise Security. Apps that are not exported globally are flagged by the
confcheck_app_exports.py health check.
To verify a global export from the search head, check the
local.meta file of the app or add-on for
export = system. For further details, see the "Make Splunk knowledge objects globally available" section of App architecture and object ownership in the Splunk Enterprise Admin Manual.
Or when installing ES in a search head cluster environment, verify that your
server.conf shclustering configuration is in
$SPLUNK_HOME/etc/system/local/server.conf or is in an app that exports the server configuration globally via metadata:
export = system
See Prerequisites for installing Enterprise Security in a search head cluster environment in the Splunk Enterprise Installation and Upgrade Manual.
Dashboard requirements matrix for Splunk Enterprise Security
Troubleshoot messages about default indexes searched by the admin role
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0
Feedback submitted, thanks!