Open budroco opened 1 year ago
budroco
commented
1 year ago Well - sometimes, depending on the script, the output doesn't actually show up in the splunk log directly, but only in the search.log. I'm not yet sure why, but I definitely haven't managed to crash my script using stderr output so far.
NDietrich
commented
1 year ago What language are you using for your testing? Everything I wrote was written in JavaScript (node) and tested on Splunk Enterprise (8.2.0 I think?), and anytime anything was written to stderr: it would cause the custom search command to fail immediately, Splunk web would display 'external search command exited unexpectedly', and the text written to stderr would wind up in the search.log file for the search.
I wasn't able to get anything written to the search.log directly (because it's locked by the process), only by writing via stderr would i get anything in the search.log.
budroco
commented
1 year ago I'm using the Python Splunklib and outputting stuff using print("hey", file=sys.stderr).
Could it be your process terminating itself?
Hey Noah, thanks a lot for doing the work of Splunk Inc. in documenting this protocol.
In your presentation (13:37) you claim that writing anything to stderr will terminate the command, but this is not the case in my setup (Splunk v8). The behavior seems to be the same as that of modular inputs: Anything written to stderr appears in the splunk.log and the command runs through just fine.