Archive

Enable FTP

Contributor

How do I enable FTP? (I know how to capture the logs after they are FTP'd to us)

We have devices that cannot have a universal forwarder installed on them. They only have FTP files. We need a way to FTP the files from these devices into our splunk server for processing.

Tags (1)
0 Karma
1 Solution

Legend

Splunk itself does not include an FTP server. You need a third-party product to provide this functionality for you.

View solution in original post

New Member

The FTP Receiver app is lacking documentation on how to get this app running. Does anyone have any suggestions? I ran this
(index=internal sourcetype=ftpmodular_input) OR (sourcetype=ftp) per the troubleshooting details and received nothing.

0 Karma

Champion

There is a README.txt file in the app that contains instructions.

Now that you have the app installed, you will need to create an input to start the FTP server:

  1. Navigate to "Settings » Data Inputs" at the menu at the top of Splunk's user interface.
  2. Click "FTP"
  3. Click "New" to make a new instance of an input

Make sure that the path that you are serving the files from exists.

See https://raw.githubusercontent.com/LukeMurphey/splunk-ftp-receiver/master/src/README.txt for the full details.

0 Karma

Champion

There now is an app that runs an FTP server so that you can accept files via FTP into Splunk directly. See the "FTP Receiver" app.

0 Karma

Path Finder

There is a new splunkbase app called "importutil". It lets you import csv files (or any input) from an http url via the splunk search command line. Also works for ftp. sftp is experimental.

http://splunk-base.splunk.com/apps/69078/importutil

Here is an ftp example. Pulling from the bureau of labor stats:

|importutil ftp ftp://ftp.bls.gov/pub/time.series/ce/ce.data.102.WeeklyEarningsHist
| multikv
| table series_id, year, period, value, footnote_codes

Here is an example that imports data from the federal reserve economic data website:

|importutil http http://research.stlouisfed.org/fred2/data/PAYEMS.csv
| multikv
| table DATE, VALUE
0 Karma

Legend

Splunk itself does not include an FTP server. You need a third-party product to provide this functionality for you.

View solution in original post

Contributor

Thank you so much! This is just what I was looking for.

Legend

The most common ftpd in Linux is simply the ftpd you get if you run 'apt-get install ftpd' on a debian/ubuntu box. There's nothing wrong with that one. There's also ProFTPD, PureFTPD, vsftpd, etc. What you might want is an FTPD that has its own user management so you don't have to mix users in the FTP server software with those in the underlying operating system. The default ftpd doesn't do this if I recall correctly, but the other ones I listed do.

Contributor

Server Platform: Linux
Server platform Version: RHEL5
Client OS: Windows xp or 7
Splunk Version: 4.3.3

0 Karma

Legend

Which OS / version?

0 Karma

Contributor

What product would you suggest?

0 Karma