Book Image

Splunk Operational Intelligence Cookbook

Book Image

Splunk Operational Intelligence Cookbook

Overview of this book

Table of Contents (17 chapters)
Splunk Operational Intelligence Cookbook
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Using scripted inputs


Not all data that is useful for operational intelligence comes from logfiles or network ports. Splunk will happily take the output of a command or script and index it along with all of your other data.

Scripted inputs are a very helpful way to get that hard-to-reach data. For example, if you have third-party-supplied command-line programs that can output data you would like to collect, Splunk can run the command periodically and index the results. Typically scripted inputs are often used to pull data from a source, whereas network inputs await a push of data from a source.

This recipe will show you how to configure Splunk on an interval to execute your command and direct the output into Splunk.

Getting ready

To step through this recipe, you will need a running Splunk server and the provided scripted input script suited to the environment you are using. For example, if you are using Windows, use the cp01_scripted_input.bat file. This script should be placed in the $SPLUNK_HOME/bin/scripts directory. There are no other prerequisites.

How to do it...

Follow the steps in the recipe to configure a scripted input:

  1. Log in to your Splunk server.

  2. From the home launcher in the top-right corner, click on the Add Data button.

  3. In the Or Choose a Data Source list, click on the Run and collect the output of a script link.

  4. An Add new screen will be displayed, with a number of input fields. In the Source section, enter the full path for the command to be run, including any command-line arguments. All scripts must be located in a Splunk bin directory, either in $SPLUNK_HOME/bin/scripts or an appropriate bin directory in a Splunk app.

  5. Enter the value in the Interval field (in seconds) in which the script is to be run; the default value is 60.0 seconds.

  6. In the Source type section, you have the option to select a predefined source type, or select Manual and enter your desired value. For the purposes of this recipe, select Manual as the sourcetype and enter cp01_scripted_input as the value for the sourcetype.

    Data will be indexed into Splunk's default index, which is main. To change the destination index, you can check the box labeled More Settings and select the desired index from the drop-down list.

  7. Click on Save, and on the next screen, click on Start searching. Splunk is now configured to execute the scripted input you provided every 60 seconds in accordance with the specified interval. You can search for the data returned by the scripted input using the following search over All time:

    sourcetype=cp01_scripted_input

How it works...

When adding a new scripted input, you are directing Splunk to add a new configuration stanza into an inputs.conf file behind the scenes. The Splunk server can contain one or more inputs.conf files and these are located either in $SPLUNK_HOME/etc/system/local or the local directory of a Splunk app.

After creating a scripted input, Splunk sets up an internal timer and will execute the command that you have specified in accordance with the defined interval. It is important to note that Splunk will only run one instance of the script at a time, so if the script gets blocked for any reason, it will cause the script to not be executed again, until after it has been unblocked.

Since Splunk 4.2, any output of the scripted inputs that are directed to stderr (causing an error) will be captured in the splunkd.log file, which can be useful when attempting to debug the execution of a script. As Splunk indexes its own data by default, you can search for scripted input errors and alert on them if necessary.

For security reasons, Splunk will not execute scripts located outside of the bin directories mentioned earlier. In order to overcome this limitation, you can use a wrapper script (such as a shell script in Linux or batch file in Windows) to call any other script located on your machine.

See also

  • The Indexing files and directories recipe

  • The Getting data through network ports recipe

  • The Using modular inputs recipe