Alerting

how to create a button that triggers script in Forwarder from indexer

sieutruc
Contributor

Hello Splunkers,

I know that scripted input has a lot of options that user can execute and schedule it at the right time. But in my system, i need to create a button so that the user can presss and script will be executed or stop doing whenever he want. I see almost document on Splunk website, unfortunately don't see any appropriate one.
Can you show me how to do that ?
My indexer/searchhead is on Linux and there are UFs (universal Forwarder) on Windows based machines.

[infor]

In fact, in my company, there are a lot of embedded systems that need to be controled by script (vbs). Those scripts are started by the controllers when he want to test such embedded systems, and they also print all test result in console.

So, i need to create a button on web graphic interface that can execute scripts manually and stop them when necessary, instead of doing a schedule.

Normally, i think i can be done by install SSH server on Windows-based machines, and use module button to implement a search something as :

| execute.py

with execute.py will do like: ssh [usename]@[machine] "[scriptName].vbs]"

but the problem is those machine cannot be installed SSH server, so is Splunk providing a functionality that is able to solve my problem ? connect to UF client on Windows machine and execute batch/vbs script.

Tags (1)
0 Karma
1 Solution

bmacias84
Champion

The only way to modify .conf without restarting is to uses Splunk Web or CLI; however, the UF does not contain a Splunk Web instance. The UF has a CLI and can be accessed remotely. This is depended on the Splunk management port being allow (default port 8089) from management server or desktop. Using the CLI you could add, edit, or remove inputs, which could be scripted.

Things to know about remote CLI:

  • Disabled by default until default password is changed or allowRemoteLogin=always set in $SPLUNK_HOME/etc/system/local/server.conf.
  • Just like Splunk Web advanced configuration can only be configured by editing the .conf files directly.

Note: You could create additional user with the admin role.

Adding/editing inputs:


./splunk add monitor C:\Windows\windowsupdate.log -index newindex -uri https://splunkserver:8089
./splunk edit monitor C:\Windows\windowsupdate.log –sourcetype winlog -uri http://splunkserver:8089

Using the method above you can’t disable monitor or it’s not a parameter show in documentation. Also this will edit the $SPLUNK_HOME/etc/system/local/inputs.conf, so any stanza conflicts the app, user, search will take precedence.
Another option would be to create an app containing your inputs that is NOT managed by the Deployment Server and use the CLI to enable or disable app. Why an app NOT managed by the Deployment Server? The reason is changes performed outside Deployment Server will be overwritten by the Deployment Server on the next check in interval.

Enable/Disable apps:


./splunk disable app mycustominputs -uri http://splunkserver:8089
./splunk enable app mycustominputs -uri http://splunkserver:8089

I am not completely familiar with all the CLI capabilities, so you may find CLI command that does work for you. Also you could use remote Poweshell, WMI, winrm, or PsExec as other options.

Update:
If you just want to add script input just once I'd use oneshot input. which will take your scripted input and addit to Splunk as one time run. CLI doesnt provide a method for scripted input. You could create a scripted input that runs on an interval, storing your output to a temp file, that thens calls a oneshot for pickup. Then disable app and re-enable able when needed. Definatly not an elgant solution.

Post : Using script input/one shot

Step further:
You could create an App using the App framework to display button for each forwarder and execute disable app, add input, remote input, etc. All from the Splunks Cherrypy webserver framework. A little overboard, but we do a similar thing with Web2Py to simplify task and evetually and them off to tier 1-2.

Additional reading:

AccessandusetheCLIonaremoteserver

MonitorfilesanddirectoriesusingtheCLI

Monitorfilesanddirectories

app-framework

I hope this help or gets you started.

Cheers

View solution in original post

bmacias84
Champion

@sieutruc, Updated my post with a section on oneshot with scripted input. Reach my limits of my knowledge of on inputs.

0 Karma

bmacias84
Champion

The only way to modify .conf without restarting is to uses Splunk Web or CLI; however, the UF does not contain a Splunk Web instance. The UF has a CLI and can be accessed remotely. This is depended on the Splunk management port being allow (default port 8089) from management server or desktop. Using the CLI you could add, edit, or remove inputs, which could be scripted.

Things to know about remote CLI:

  • Disabled by default until default password is changed or allowRemoteLogin=always set in $SPLUNK_HOME/etc/system/local/server.conf.
  • Just like Splunk Web advanced configuration can only be configured by editing the .conf files directly.

Note: You could create additional user with the admin role.

Adding/editing inputs:


./splunk add monitor C:\Windows\windowsupdate.log -index newindex -uri https://splunkserver:8089
./splunk edit monitor C:\Windows\windowsupdate.log –sourcetype winlog -uri http://splunkserver:8089

Using the method above you can’t disable monitor or it’s not a parameter show in documentation. Also this will edit the $SPLUNK_HOME/etc/system/local/inputs.conf, so any stanza conflicts the app, user, search will take precedence.
Another option would be to create an app containing your inputs that is NOT managed by the Deployment Server and use the CLI to enable or disable app. Why an app NOT managed by the Deployment Server? The reason is changes performed outside Deployment Server will be overwritten by the Deployment Server on the next check in interval.

Enable/Disable apps:


./splunk disable app mycustominputs -uri http://splunkserver:8089
./splunk enable app mycustominputs -uri http://splunkserver:8089

I am not completely familiar with all the CLI capabilities, so you may find CLI command that does work for you. Also you could use remote Poweshell, WMI, winrm, or PsExec as other options.

Update:
If you just want to add script input just once I'd use oneshot input. which will take your scripted input and addit to Splunk as one time run. CLI doesnt provide a method for scripted input. You could create a scripted input that runs on an interval, storing your output to a temp file, that thens calls a oneshot for pickup. Then disable app and re-enable able when needed. Definatly not an elgant solution.

Post : Using script input/one shot

Step further:
You could create an App using the App framework to display button for each forwarder and execute disable app, add input, remote input, etc. All from the Splunks Cherrypy webserver framework. A little overboard, but we do a similar thing with Web2Py to simplify task and evetually and them off to tier 1-2.

Additional reading:

AccessandusetheCLIonaremoteserver

MonitorfilesanddirectoriesusingtheCLI

Monitorfilesanddirectories

app-framework

I hope this help or gets you started.

Cheers

bmacias84
Champion

@anshu2812, Currently there is not a built in way in Splunk to do what you want exactly, but you can come close. One shot does not exist for scripted inputs.

Question 1: Not sure if I understand. You can create a dashboard to to disable/enable apps using the CLI or API on a forwarder. Splunk back ended it just variant of CherryPi webserver. If you can write or building our own page it possible.

Question 2: If you want to do this with search you could write your own custom search command that would use the rest API.

Also you scripts must already exist on forwarders.

0 Karma

anshu2812
Explorer

Users would want to run a script on the forwarders on request basis. I want to provide them a button which would enable the app on the forwarder and another to disable the app. I have 2 questions -

  1. Can I call the enable/disable app CLI from the dashboard?
  2. Can this be done using the normal submit module with |[script] in search query or do we need to some module from App framework as mentioned above?

Any code samples/examples would help me a lot.

0 Karma

bmacias84
Champion

@anshu2812, what exactly is your requirement?

0 Karma

anshu2812
Explorer

Did you get this working? I also have a similar requirement the enable disable app seems to be working but how to get it done from a dashboard on button click? Any help would be really appreciated.

0 Karma

bmacias84
Champion

If you really want a button like system you are going to have to build an app using the app framework which will eventually replace advanced xml (distant future). http://dev.splunk.com/view/app-framework/SP-CAAADPK

0 Karma

sieutruc
Contributor

thanks, it's so great. I have done with enalbing and disabling in order to trigger script only one time . But it seems that there isn't any module button to execute script exclusively instead of | [script] in search query. Do you have some idea how to create such a button ?

Besides, can you take a look in my another question:
http://splunk-base.splunk.com/answers/63121/error-when-running-cli-remotely ?

0 Karma

bmacias84
Champion

If you want a pure linux way of managing that try pash. PowerShell open source reimplementation for cross platform management http://pash.sourceforge.net or winexe for linux http://sourceforge.net/projects/winexe/. Else I would use WMI modules in Perl or Python to perform WMI remote execute, if remote WMI is allowed.

0 Karma

bmacias84
Champion

Ok, I might have a solution for you that will not require a restart for adding and will work remotely without ssh on windows. Give me a few to type it out.

0 Karma

sieutruc
Contributor

in my case, i want the tester to be able to trigger script manually, instead of editting the parameter in inputs.conf in deployement server and reloading that server class, that will effect all other scripts that needn't start manually.

0 Karma

bmacias84
Champion

Can you discribe your use case some more? Modifying the inputs.conf on your UF would require you to restart the Splunk service.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...