Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Troubleshoot script errors in Splunk Enterprise Security

Troubleshoot script errors from modular inputs in Splunk Enterprise Security. If you see a message about a script exiting abnormally or a script that is in an unknown state, investigate the script and stanza that produced the error.

The Audit - Script Errors search replaces a configuration check script and creates Splunk messages to warn about non-zero exit codes that result from scripts in your Splunk deployment.

Possible root cause Verification Mitigation
The script did not run successfully. Review the log files for the script. Run the script manually to see if it runs successfully, and review the exit code that results. Address the reasons why the script exited with a non-zero exit code.
The script ran successfully with a non-zero exit code. Run the script manually to see if it runs successfully, and review the exit code that results. Include the script in the suppression for the search so that it does not display messages for this script.
The script is in an unknown state. There is a stop time for the script, but no exit status or start time. Check the modular input settings to confirm they are correct. Correct the modular input settings.

See Configure a script for an alert action in the Splunk Enterprise Alerting Manual and What Splunk software logs about itself in the Splunk Enterprise Troubleshooting Manual.

Prevent messages about specific scripts

If needed, you can prevent messages about specific scripts by modifying the match syntax in the `script_error_msg_ignore` macro.

If you had locally-defined script suppression regex in the [configuration_check://confcheck_script_errors] stanza, you can replicate it in the macro. For example, the suppression stanza includes the following regular expression:

suppress = ((streamfwd|splunk-(wmi\.path|MonitorNoHandle\.exe|winevtlog\.exe|netmon\.exe|perfmon\.exe|regmon\.exe|winprintmon\.exe|admon\.exe)).*exited with code 1)

The macro replicates this suppression with the following definition:

match(script, "(streamfwd|splunk-(wmi\.path|MonitorNoHandle\.exe|winevtlog\.exe|netmon\.exe|perfmon\.exe|regmon\.exe|winprintmon\.exe|admon\.exe|powershell\.exe))") AND exit_status=1

To reduce the frequency of messages about specific scripts rather than prevent them from appearing, throttle the alerts. Set up alert throttling for the Audit - Script Errors search based on the necessary values, such as the script field.

Disable the configuration checker

To stop the messages by disabling the configuration checks, such as confcheck_app_exports.py, do the following:

  1. On the Enterprise Security menu bar, select Configure > General > Configuration Checker.
  2. Find the name of the script and click Disable.

Though in the case of confcheck_app_exports.py specifically, see Export apps globally to verify if you want to export the apps or disable the configuration checker.

Export apps globally

Splunk Enterprise Security no longer selectively imports apps and add-ons based on the name of the app or add-on. Knowledge objects in apps and add-ons that are installed on the same search head as Splunk Enterprise Security and exported to other apps or globally are visible in Splunk Enterprise Security. Apps that are not exported globally are flagged by the confcheck_app_exports.py health check.

To verify a global export from the search head, check the local.meta file of the app or add-on for export = system. For further details, see the "Make Splunk knowledge objects globally available" section of App architecture and object ownership in the Splunk Enterprise Admin Manual.

Or when installing ES in a search head cluster environment, verify that your server.conf shclustering configuration is in $SPLUNK_HOME/etc/system/local/server.conf or is in an app that exports the server configuration globally via metadata:

[server]
export = system

See Prerequisites for installing Enterprise Security in a search head cluster environment in the Splunk Enterprise Installation and Upgrade Manual.

PREVIOUS
Create a Splunk Web message in Splunk Enterprise Security
  NEXT
Troubleshoot messages about default indexes searched by the admin role

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters