Deployment Architecture

Doc to configure the UniversalForwarder to send some data via a shell script to the splunk server

dineshahlawat
New Member

Did any one know the steps to configure the UniversalForwarder to send some data via a shell script to the splunk server .

I have splunk server installed on a win machine .
Now i have a Unix machine where i have some scripts and i want the output of these scripts should be tracked in my windows splunk server.

Any doc or help much appreciated.

0 Karma

Drainy
Champion

So to be clear, you install the forwarder onto the Unix machine, you then configure Splunk to either run these scripts as a scripted input;
http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup

Or you just configure your shell scripts to output their data to a local file and configure your forwarder to monitor that file;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Open up any firewall ports on both ends and ensure there is a route and then configure outputs.conf on the forwarder to send to the indexer;
docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf

and then configure the indexer to receive, as per the inputs.conf documentation above.

0 Karma

linu1988
Champion

check your outputs.conf and at your search head please check the receiving port configuration. perform telnet and ping test also to make sure the Windows server i.e. the search head is reachable.

[tcpout]
defaultGroup = lb

[tcpout:lb]
server = server_name:9998

0 Karma

dineshahlawat
New Member

The script is executable.
[root@ ]# tail -3 $SPLUNK_HOME/var/log/splunk/splunkd.log
05-22-2013 18:02:33.349 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
05-22-2013 18:02:35.688 +0530 WARN TcpOutputProc - Cooked connection to ip=10.151.9.184:9997 timed out
[root@ ]# ping 10.151.9.184
PING 10.151.9.184 (10.151.9.184) 56(84) bytes of data.
64 bytes from 10.151.9.184: icmp_seq=1 ttl=127 time=0.856 ms
But i am not sure of the 9997 port. can u tell me where is the file location which will confirm this port on server side

0 Karma

linu1988
Champion

it looks fine, but make sure the .sh file is made executable

0 Karma

dineshahlawat
New Member

Hi Drainy,

[root@mymachine local]# more /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf
[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

[monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log]
_TCP_ROUTING = *
index = _internal

[script:///opt/splunkforwarder/etc/apps/scripts/bin/top.sh]
interval = 5 # run every 5 seconds
sourcetype = top # set sourcetype to top
source = script:///opt/splunkforwarder/etc/apps/scripts/bin/top.sh
[root@mymachine local]#
Plz tell me is this fine .

0 Karma

linu1988
Champion

Hello Dinesh,
You can use the script option to configure the scripts in inputs.conf

e.g.
[script://./path/test.sh]
sourcetype = test
source = test
interval = 300
index = index_name
disabled = 0

it can be done on windows system as well

0 Karma

dineshahlawat
New Member

I want the output of my script should be monitored by the splunk.
Means,i Have
On Windows machine One splunk server (Lets say it Server)
On Many unix or windows machine i have UniversalForwarder installed ( Lets call them Clients ).. i think i have not configured it properly to send data to the windows splunk server.
So Now on client there are some scripts which gives some output to a file .
I want the splunk server to read this file and i will be able to see the output of this file in my Splunk UI (where i can create dashboards etc.)
Please do let me know if you want more detail on this .

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...