Did any one know the steps to configure the UniversalForwarder to send some data via a shell script to the splunk server .
I have splunk server installed on a win machine .
Now i have a Unix machine where i have some scripts and i want the output of these scripts should be tracked in my windows splunk server.
Any doc or help much appreciated.
So to be clear, you install the forwarder onto the Unix machine, you then configure Splunk to either run these scripts as a scripted input;
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup
Or you just configure your shell scripts to output their data to a local file and configure your forwarder to monitor that file;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Open up any firewall ports on both ends and ensure there is a route and then configure outputs.conf on the forwarder to send to the indexer;
docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf
and then configure the indexer to receive, as per the inputs.conf documentation above.
check your outputs.conf and at your search head please check the receiving port configuration. perform telnet and ping test also to make sure the Windows server i.e. the search head is reachable.
[tcpout]
defaultGroup = lb
[tcpout:lb]
server = server_name:9998
The script is executable.
[root@ ]# tail -3 $SPLUNK_HOME/var/log/splunk/splunkd.log
05-22-2013 18:02:33.349 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
05-22-2013 18:02:35.688 +0530 WARN TcpOutputProc - Cooked connection to ip=10.151.9.184:9997 timed out
[root@ ]# ping 10.151.9.184
PING 10.151.9.184 (10.151.9.184) 56(84) bytes of data.
64 bytes from 10.151.9.184: icmp_seq=1 ttl=127 time=0.856 ms
But i am not sure of the 9997 port. can u tell me where is the file location which will confirm this port on server side
it looks fine, but make sure the .sh file is made executable
Hi Drainy,
[root@mymachine local]# more /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue
[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal
[script:///opt/splunkforwarder/etc/apps/scripts/bin/top.sh]
interval = 5 # run every 5 seconds
sourcetype = top # set sourcetype to top
source = script:///opt/splunkforwarder/etc/apps/scripts/bin/top.sh
[root@mymachine local]#
Plz tell me is this fine .
Hello Dinesh,
You can use the script option to configure the scripts in inputs.conf
e.g.
[script://./path/test.sh]
sourcetype = test
source = test
interval = 300
index = index_name
disabled = 0
it can be done on windows system as well
I want the output of my script should be monitored by the splunk.
Means,i Have
On Windows machine One splunk server (Lets say it Server)
On Many unix or windows machine i have UniversalForwarder installed ( Lets call them Clients ).. i think i have not configured it properly to send data to the windows splunk server.
So Now on client there are some scripts which gives some output to a file .
I want the splunk server to read this file and i will be able to see the output of this file in my Splunk UI (where i can create dashboards etc.)
Please do let me know if you want more detail on this .