https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192127#M38289 <P>Hi, </P> <P>I'm currently working on an application that handles files with a very specific format Splunk cannot directly manage, data has to be converted through a third party script. (currently a perl script)</P> <P>I would like to adapt the current configuration to let Splunk handle files (based on pattern) and call the 3rd party script which gets the file name as argument.</P> <P><STRONG>To sum up, my goal is:</STRONG></P> <UL> <LI>Splunk watches for any new or updated file (as for any standard files input)</LI> <LI>when a new file is available or a CRC file differs, Splunk calls the third party script with the file name as argument</LI> <LI>The third party script streams the converted data that Splunk will index</LI> </UL> <P>I already have a functional third party script that does that job but could yet find the better to proceed as required</P> <P>Thanks in advance for any help</P> Tue, 18 Mar 2014 09:18:14 GMT guilmxm 2014-03-18T09:18:14Z https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192127#M38289 <P>Hi, </P> <P>I'm currently working on an application that handles files with a very specific format Splunk cannot directly manage, data has to be converted through a third party script. (currently a perl script)</P> <P>I would like to adapt the current configuration to let Splunk handle files (based on pattern) and call the 3rd party script which gets the file name as argument.</P> <P><STRONG>To sum up, my goal is:</STRONG></P> <UL> <LI>Splunk watches for any new or updated file (as for any standard files input)</LI> <LI>when a new file is available or a CRC file differs, Splunk calls the third party script with the file name as argument</LI> <LI>The third party script streams the converted data that Splunk will index</LI> </UL> <P>I already have a functional third party script that does that job but could yet find the better to proceed as required</P> <P>Thanks in advance for any help</P> Tue, 18 Mar 2014 09:18:14 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192127#M38289 guilmxm 2014-03-18T09:18:14Z https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192128#M38290 <P>Did you look into using "unarchive_cmd" for this? It sounds like it could solve your situation, even though you're not strictly "unarchiving" anything, but the principle should still be the same - Splunk detects a change, invokes the script, then ingests the data that the script outputs.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf</A></P> <PRE><CODE>unarchive_cmd = &lt;string&gt; * Only called if invalid_cause is set to "archive". * This field is only valid on [source::&lt;source&gt;] stanzas. * &lt;string&gt; specifies the shell command to run to extract an archived source. * Must be a shell command that takes input on stdin and produces output on stdout. * Use _auto for Splunk's automatic handling of archive files (tar, tar.gz, tgz, tbz, tbz2, zip) * Defaults to empty. </CODE></PRE> Tue, 18 Mar 2014 09:37:21 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192128#M38290 Ayn 2014-03-18T09:37:21Z https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192129#M38291 <P>Nice idea, i'll check and let you know, thanks</P> Tue, 18 Mar 2014 10:49:34 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192129#M38291 guilmxm 2014-03-18T10:49:34Z https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192130#M38292 <P>Ayn,</P> <P>Thank you very much for your clever suggestion, this indeed did the job as i need <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 19 Mar 2014 19:40:56 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192130#M38292 guilmxm 2014-03-19T19:40:56Z https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192131#M38293 <P>For those who would be intesrested in such as case, here is how i got it to work as i need.</P> <P>As few links that helped to implement a 3rd party script with the unarchive_cmd stanza:</P> <P><A href="http://answers.splunk.com/answers/7729/how-to-invoke-unarchive_cmd" target="_blank">http://answers.splunk.com/answers/7729/how-to-invoke-unarchive_cmd</A><BR /> <A href="http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/" target="_blank">http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/</A><BR /> <A href="http://answers.splunk.com/answers/10501/python-script-as-unarchive_cmd-in-propsconf" target="_blank">http://answers.splunk.com/answers/10501/python-script-as-unarchive_cmd-in-propsconf</A></P> <P>Also i had to adapt my 3rd party script to be able to manage data from stdin instead of the filename as argument (eg. cat <MYFILE> | myscript)<BR /> Depending on your case and script, you may want your script to stream the converted data that will be directly indexed by Splunk (the simplest) or you may need your script to generate csv file(s) that would be indexed by Splunk. (my case)</MYFILE></P> <P>The configuration that worked as i need:</P> <P><STRONG>props.conf</STRONG></P> <OL> <LI><P>You need to declare a source stanza associated to your 3rd party script:</P> <P>[source::/pathtorawfiles/*.<MYFILEEXTENSION>]<BR /> invalid_cause = archive<BR /> unarchive_cmd = <FULLPATHTO3RDPARTYSCRIPT><BR /> sourcetype = mysourcetype<BR /> NO_BINARY_CHECK = true</FULLPATHTO3RDPARTYSCRIPT></MYFILEEXTENSION></P></LI> <LI><P>In my case, my script generates several csv files (standard csv files with header) that Splunk will index, so i declared a second stanza. (you don't need this if your script outputs the data directly)</P> <P>[mydatasourcetype]</P> <P>FIELD_DELIMITER=,<BR /> FIELD_QUOTE="<BR /> HEADER_FIELD_LINE_NUMBER=1<BR /> NO_BINARY_CHECK=1<BR /> INDEXED_EXTRACTIONS=csv<BR /> KV_MODE=none<BR /> SHOULD_LINEMERGE=false<BR /> pulldown_type=true</P></LI> </OL> <P><STRONG>inputs.conf</STRONG></P> <OL> <LI><P>I declare a monitor associated to the raw data that need to be converted through my 3rd party script:</P> <P>[monitor:///pathtorawfiles/*.<MYFILEEXTENSION>]<BR /> disabled = false<BR /> index = myindex<BR /> sourcetype = mysourcetype</MYFILEEXTENSION></P></LI> <LI><P>As i my script generates csv files, i just want to index and delete them automatically:</P> <P>[batch://<PATHTOCONVERTEDCSVFILES>/*.csv]<BR /> disabled = false<BR /> move_policy = sinkhole<BR /> recursive = false<BR /> index = myindex<BR /> sourcetype = mydatasourcetype</PATHTOCONVERTEDCSVFILES></P></LI> </OL> <P>And that's it, works like a charm <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>This off course has to adapted to your requirement.</P> Mon, 28 Sep 2020 16:11:06 GMT https://community.splunk.com/t5/Getting-Data-In/Custom-script-input-How-to-let-Splunk-handle-files-through-a/m-p/192131#M38293 guilmxm 2020-09-28T16:11:06Z