topic Re: Universal Forwarder problem in Splunk Dev

Universal Forwarder problem

aalaa — Mon, 25 Nov 2019 11:09:41 GMT

Hello ,
I have a universal forwarder installed on an oracle server.
I configure this universal forwrader to monitor a script file (splunkhome \ bin \ script) that gives the enabled oracle services , but the problem that I receive the list of services activated after 20 munites that I activated or I disabled a service.
the goal is to create a real-time alert on the HS to notify that a service is currently enabled.

Any help please ?

Re: Universal Forwarder problem

gcusello — Mon, 25 Nov 2019 11:56:08 GMT

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

Re: Universal Forwarder problem

aalaa — Mon, 25 Nov 2019 12:12:06 GMT

Thank you Giuseppe for your response ,

I configured the script to writes in a file and i configure the file monitoring ,
how can i know the frequency of the script ?

Re: Universal Forwarder problem

gcusello — Mon, 25 Nov 2019 13:37:25 GMT

Hi @aalaa,
if you scheduled it using Unix scheduler you have to use cron (e.g.: */5 * * * * means every 5 minutes).

If you used Splunk inputs, see at https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

interval = [<decimal>|<cron schedule>]
* How often, in seconds, to run the specified command, or a valid "cron"       schedule.
* If you specify the interval as a number, it may have a fractional       component; for example, 3.14
* To specify a cron schedule, use the following format:
  * "<minute> <hour> <day of month> <month> <day of week>"
  * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values.
* The cron implementation for data inputs does not currently support names of months or days.
* The special value 0 forces this scripted input to be run continuously.
  As soon as the script exits, the input restarts it.
* The special value -1 causes the scripted input to run once on start-up.
* NOTE: when you specify a cron schedule, the input does not run the script on start-up.
* Default: 60.0

Ciao.
Giuseppe