Troubleshoot script errors in Splunk Enterprise Security
Troubleshoot script errors from modular inputs in Splunk Enterprise Security. If you see a message about a script exiting abnormally or a script that is in an unknown state, investigate the script and stanza that produced the error.
Audit - Script Errors search replaces a configuration check script and creates Splunk messages to warn about non-zero exit codes that result from scripts in your Splunk deployment.
|Possible root cause||Verification||Mitigation|
|The script did not run successfully.||Review the log files for the script. Run the script manually to see if it runs successfully, and review the exit code that results.||Address the reasons why the script exited with a non-zero exit code.|
|The script ran successfully with a non-zero exit code.||Run the script manually to see if it runs successfully, and review the exit code that results.||Include the script in the suppression for the search so that it does not display messages for this script.|
|The script is in an unknown state. There is a stop time for the script, but no exit status or start time.||Check the modular input settings to confirm they are correct.||Correct the modular input settings.|
Prevent messages about specific scripts
If needed, you can prevent messages about specific scripts by modifying the match syntax in the
If you had locally-defined script suppression regex in the
[configuration_check://confcheck_script_errors] stanza, you can replicate it in the macro. For example, the suppression stanza includes the following regular expression:
suppress = ((streamfwd|splunk-(wmi\.path|MonitorNoHandle\.exe|winevtlog\.exe|netmon\.exe|perfmon\.exe|regmon\.exe|winprintmon\.exe|admon\.exe)).*exited with code 1)
The macro replicates this suppression with the following definition:
match(script, "(streamfwd|splunk-(wmi\.path|MonitorNoHandle\.exe|winevtlog\.exe|netmon\.exe|perfmon\.exe|regmon\.exe|winprintmon\.exe|admon\.exe|powershell\.exe))") AND exit_status=1
To reduce the frequency of messages about specific scripts rather than prevent them from appearing, throttle the alerts. Set up alert throttling for the
Audit - Script Errors search based on the necessary values, such as the
- For Splunk Enterprise, see Throttle alerts in the Alerting Manual.
- For Splunk Cloud, see Throttle alerts in the Alerting Manual.
Disable the configuration checker
To stop the messages by disabling the configuration checks, such as
confcheck_app_exports.py, do the following:
- On the Enterprise Security menu bar, select Configure > General > Configuration Checker.
- Find the name of the script and click Disable.
Though in the case of
confcheck_app_exports.py specifically, also check the 5.3.0 Release notes regarding Improved App Import and Export Support to verify if you want to export the apps or disable the configuration checker. See What's New.
Create a Splunk Web message in Splunk Enterprise Security
Troubleshoot messages about default indexes searched by the admin role
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1