I know that scripted input has a lot of options that user can execute and schedule it at the right time. But in my system, i need to create a button so that the user can presss and script will be executed or stop doing whenever he want. I see almost document on Splunk website, unfortunately don't see any appropriate one.
Can you show me how to do that ?
My indexer/searchhead is on Linux and there are UFs (universal Forwarder) on Windows based machines.
In fact, in my company, there are a lot of embedded systems that need to be controled by script (vbs). Those scripts are started by the controllers when he want to test such embedded systems, and they also print all test result in console.
So, i need to create a button on web graphic interface that can execute scripts manually and stop them when necessary, instead of doing a schedule.
Normally, i think i can be done by install SSH server on Windows-based machines, and use module button to implement a search something as :
with execute.py will do like:
ssh [usename]@[machine] "[scriptName].vbs]"
but the problem is those machine cannot be installed SSH server, so is Splunk providing a functionality that is able to solve my problem ? connect to UF client on Windows machine and execute batch/vbs script.
Can you discribe your use case some more? Modifying the inputs.conf on your UF would require you to restart the Splunk service.
in my case, i want the tester to be able to trigger script manually, instead of editting the parameter in inputs.conf in deployement server and reloading that server class, that will effect all other scripts that needn't start manually.
Ok, I might have a solution for you that will not require a restart for adding and will work remotely without ssh on windows. Give me a few to type it out.
The only way to modify .conf without restarting is to uses Splunk Web or CLI; however, the UF does not contain a Splunk Web instance. The UF has a CLI and can be accessed remotely. This is depended on the Splunk management port being allow (default port 8089) from management server or desktop. Using the CLI you could add, edit, or remove inputs, which could be scripted.
Things to know about remote CLI:
Note: You could create additional user with the admin role.
./splunk add monitor C:\Windows\windowsupdate.log -index newindex -uri https://splunkserver:8089
./splunk edit monitor C:\Windows\windowsupdate.log –sourcetype winlog -uri http://splunkserver:8089
Using the method above you can’t disable monitor or it’s not a parameter show in documentation. Also this will edit the $SPLUNK_HOME/etc/system/local/inputs.conf, so any stanza conflicts the app, user, search will take precedence.
Another option would be to create an app containing your inputs that is NOT managed by the Deployment Server and use the CLI to enable or disable app. Why an app NOT managed by the Deployment Server? The reason is changes performed outside Deployment Server will be overwritten by the Deployment Server on the next check in interval.
./splunk disable app mycustominputs -uri http://splunkserver:8089
./splunk enable app mycustominputs -uri http://splunkserver:8089
I am not completely familiar with all the CLI capabilities, so you may find CLI command that does work for you. Also you could use remote Poweshell, WMI, winrm, or PsExec as other options.
If you just want to add script input just once I'd use oneshot input. which will take your scripted input and addit to Splunk as one time run. CLI doesnt provide a method for scripted input. You could create a scripted input that runs on an interval, storing your output to a temp file, that thens calls a oneshot for pickup. Then disable app and re-enable able when needed. Definatly not an elgant solution.
Post : Using script input/one shot
You could create an App using the App framework to display button for each forwarder and execute disable app, add input, remote input, etc. All from the Splunks Cherrypy webserver framework. A little overboard, but we do a similar thing with Web2Py to simplify task and evetually and them off to tier 1-2.
I hope this help or gets you started.
If you want a pure linux way of managing that try pash. PowerShell open source reimplementation for cross platform management http://pash.sourceforge.net or winexe for linux http://sourceforge.net/projects/winexe/. Else I would use WMI modules in Perl or Python to perform WMI remote execute, if remote WMI is allowed.
thanks, it's so great. I have done with enalbing and disabling in order to trigger script only one time . But it seems that there isn't any module button to execute script exclusively instead of | [script] in search query. Do you have some idea how to create such a button ?
Besides, can you take a look in my another question:
If you really want a button like system you are going to have to build an app using the app framework which will eventually replace advanced xml (distant future). http://dev.splunk.com/view/app-framework/SP-CAAADPK
Did you get this working? I also have a similar requirement the enable disable app seems to be working but how to get it done from a dashboard on button click? Any help would be really appreciated.