https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579710#M8739 <P>Max,</P><P>Create a Splunk app and put the script in the bin folder of that app.&nbsp; The app also should contain a default directory with inputs.conf and props.conf files in it.&nbsp; The inputs.conf file tells Splunk how to run the script.</P><LI-CODE lang="markup">[script://full/path/to/the/script] interval = */5 * * * * index = foo sourcetype = mysourcetype</LI-CODE><P>The props.conf file tells Splunk how to parse the data produced by the script.</P><LI-CODE lang="markup">[mysourcetype] TIME_PREFIX = &lt;&lt;some regular expression to help Splunk find the timestamp of each event&gt;&gt; TIME_FORMAT = &lt;&lt;time format string that describes the timestamp&gt;&gt; # How many characters follow TIME_PREFIX until the end of the tiemestamp MAX_TIMESTAMP_LOOKAHEAD = 132 SHOULD_LINEMERGE = false # Regular expression that describes the text between events. # Must contain a capture group. The group will be discarded. LINE_BREAKER = ([\r\n]+) # Set this to the maximum size of the events produced by the script TRUNCATE = 10000 EVENT_BREAKER_ENABLE = true # Set this value to the same as LINE_BREAKER EVENT_BREAKER = ([\r\n]+)</LI-CODE><P>Use the Deployment Server to install the app on the relevant forwarders.&nbsp; If you have a small number of forwarders (fewer than 3) you can install the app manually.</P><P>Also install the app on the indexer(s).</P><P>Restart the forwarders and indexers after installing the app.</P> Sat, 01 Jan 2022 17:21:04 GMT richgalloway 2022-01-01T17:21:04Z https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579705#M8735 <P>Hi all,&nbsp;</P><P>how can I set the Universal Forwarder to run a script every 5 minute with a cronjob</P><P>Info of the script should&nbsp;be showing up when searching from the Search Head</P><P>Thanks in advance,</P><P>Max.</P> Fri, 31 Dec 2021 23:44:15 GMT https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579705#M8735 splunk_luis12 2021-12-31T23:44:15Z https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579708#M8737 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241853">@splunk_luis12</a>&nbsp;Try this:</P><LI-CODE lang="markup">[script://&lt;cmd&gt;] interval = [&lt;decimal&gt;|&lt;cron schedule&gt;]</LI-CODE><P>Reference:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf</A></P><P>Also if this reply helped you in solving your problem an up-vote would be appreciated <span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P><P>&nbsp;</P> Sat, 01 Jan 2022 06:47:40 GMT https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579708#M8737 ashvinpandey 2022-01-01T06:47:40Z https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579709#M8738 <P>Hi&nbsp;<SPAN>ashvinpandey,&nbsp;</SPAN></P><P><SPAN>I forgot to mention that it is for Linux (CLI)</SPAN></P><P><SPAN>how would you run the following script every 5 minutes? and in which directory should I include it the UF?</SPAN></P><P><SPAN>#!/bin/bash</SPAN></P><P>function check processes (){<BR />echo ""<BR />echo "processes:"<BR />top<BR />echo ""<BR />}<BR />check_processes</P><P>&nbsp;</P><P>I appreciate a lot your help!</P><P>&nbsp;</P><P>Thanks,</P><P>Max.</P> Sat, 01 Jan 2022 17:05:57 GMT https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579709#M8738 splunk_luis12 2022-01-01T17:05:57Z https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579710#M8739 <P>Max,</P><P>Create a Splunk app and put the script in the bin folder of that app.&nbsp; The app also should contain a default directory with inputs.conf and props.conf files in it.&nbsp; The inputs.conf file tells Splunk how to run the script.</P><LI-CODE lang="markup">[script://full/path/to/the/script] interval = */5 * * * * index = foo sourcetype = mysourcetype</LI-CODE><P>The props.conf file tells Splunk how to parse the data produced by the script.</P><LI-CODE lang="markup">[mysourcetype] TIME_PREFIX = &lt;&lt;some regular expression to help Splunk find the timestamp of each event&gt;&gt; TIME_FORMAT = &lt;&lt;time format string that describes the timestamp&gt;&gt; # How many characters follow TIME_PREFIX until the end of the tiemestamp MAX_TIMESTAMP_LOOKAHEAD = 132 SHOULD_LINEMERGE = false # Regular expression that describes the text between events. # Must contain a capture group. The group will be discarded. LINE_BREAKER = ([\r\n]+) # Set this to the maximum size of the events produced by the script TRUNCATE = 10000 EVENT_BREAKER_ENABLE = true # Set this value to the same as LINE_BREAKER EVENT_BREAKER = ([\r\n]+)</LI-CODE><P>Use the Deployment Server to install the app on the relevant forwarders.&nbsp; If you have a small number of forwarders (fewer than 3) you can install the app manually.</P><P>Also install the app on the indexer(s).</P><P>Restart the forwarders and indexers after installing the app.</P> Sat, 01 Jan 2022 17:21:04 GMT https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579710#M8739 richgalloway 2022-01-01T17:21:04Z https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579711#M8740 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241853">@splunk_luis12</a>&nbsp;Check this doc:&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/AdvancedDev/ScriptSetup" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/SplunkCloud/latest/AdvancedDev/ScriptSetup</A>&nbsp;</P> Sat, 01 Jan 2022 17:23:12 GMT https://community.splunk.com/t5/Monitoring-Splunk/Script-for-UF/m-p/579711#M8740 ashvinpandey 2022-01-01T17:23:12Z