I have a server which stores some logs. Everyday news logs are added. So what I want is, every week, on a particular day, (say Friday @ 12 AM), a script will be triggered which will forward these logs from the server to Splunk installed in a windows PC.
-> scripted input
Then the analysis of these logs will begin automatically based on some predefined scenarios (say for example, how many users are using the server per month, per week or per day).
->schedule report
The search strings for these scenarios will be already stored in a database and I need to fetch those strings one by one and execute them.
->no need, use schedule report
The reports generated for all these scenarios will then be mailed to some predefined mail ids.
->config the schedule report action to send the result via email
That's the thing which I am trying to achieve, in short. 😄
Now the issues here are :
1. Is this thing even feasible considering that Splunk is not open source? 😄
->i think what you want has nothing to do with if splunk is open source or not.
2. I tried to configure the Splunk Universal Forwarder but it did not work. I made the necessary changes in the inputs.conf and outputs.conf file, added the receiving indexer using the command (splunk add forward-server :9997) and also configured receiving options in Splunk Enterprise to listen to port 9997. Still no success. Did I miss anything?
->follow http://docs.splunk.com/Documentation/Forwarder/7.2.0/Forwarder/Configuretheuniversalforwarder step by step
3. Using DB Connect app we can connect Splunk to a database and also fetch the search strings as well. But how do I ensure that the strings will be executed automatically one after the other?
->no need to get search string from db
4. How do I mail the reports generated for each scenario automatically to some predefined recipients?
->config schedule report action.
