All Apps and Add-ons
Highlighted

What are best practices for referencing a scripted input from another app?

Ultra Champion

I want to be able to reference input scripts in one app from another app. How can I do that when the script is defined using relative paths?

For example, I have the Splunk Add-on for Unix and Linux, and I want to leverage CPU statistics gathered by the input script cpu.sh in the app "Jane's App for Using UNIX Data to End World Hunger".

When I invoke cpu.sh from the Splunk Add-on for Unix and Linux, the inputs.conf stanza header is defined as script://./bin/cpu.sh. How do I invoke the cpu.sh input script from "Jane's App for Using Unix Data to End World Hunger" given that the UNIX notation for shifting up a directory ( ..) is not available with Splunk scripted inputs?

0 Karma
Highlighted

Re: What are best practices for referencing a scripted input from another app?

Ultra Champion

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Scripted inputs are often defined using relative paths. When a script is located in an app's bin directory, you can define the scripted input stanza header in inputs.conf as script://./bin/cpu.sh. If you want to leverage that same input script in another app, you have to find a different way to reference the script from the context of the other app.

Before we jump into some options, review some of the principles behind where to place the scripts for scripted inputs in the Splunk Enterprise Getting Data In manual and the inputs.conf spec file, specifically the scripted input section.

Use the $SPLUNK_HOME variable

In the Splunk Add-on for Unix and Linux, the stanza header for the cpu.sh script in inputs.conf is

[script://./bin/cpu.sh]

To refer to this from outside the Splunk Add-on for Unix and Linux app (literally named Splunk_TA_nix on the filesystem), you can use the $SPLUNK_HOME variable that exists in Splunk's runtime environment:

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/cpu.sh]

While they look different, those two paths calculate to the same fully qualified path, and thus use the same script! The $SPLUNK_HOME variable means this works both on a Universal Forwarder and a full Splunk Enterprise.

Downsides

Due to changes in the way Splunk processes scripted inputs, the above approach is no longer encouraged. Functionally, it works. But administratively, your new input stanza, script://$SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/cpu.sh will not be merged with the configuration of the original input stanza, script://./bin/cpu.sh. Therefore, your new stanza must also include the other settings like interval, source, and sourcetype.

Stronger approaches are recommended in the post What are best practices for deploying an add-on with slightly different configurations?. Nonetheless, this post is still valid at answering the specific question of referencing scripted inputs in other apps.

View solution in original post

0 Karma
Highlighted

Re: What are best practices for referencing a scripted input from another app?

Ultra Champion

Updated to reflect the practical downsides of this approach.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.