Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarder problem

aalaa
Path Finder
‎11-25-2019 03:09 AM

Hello ,
I have a universal forwarder installed on an oracle server.
I configure this universal forwrader to monitor a script file (splunkhome \ bin \ script) that gives the enabled oracle services , but the problem that I receive the list of services activated after 20 munites that I activated or I disabled a service.
the goal is to create a real-time alert on the HS to notify that a service is currently enabled.

Any help please ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 03:56 AM

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 03:56 AM

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

Reply
Solved! Jump to solution

aalaa
Path Finder
‎11-25-2019 04:12 AM

Thank you Giuseppe for your response ,

I configured the script to writes in a file and i configure the file monitoring ,
how can i know the frequency of the script ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 05:37 AM

Hi @aalaa,
if you scheduled it using Unix scheduler you have to use cron (e.g.: */5 * * * * means every 5 minutes).

If you used Splunk inputs, see at https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

interval = [<decimal>|<cron schedule>]
* How often, in seconds, to run the specified command, or a valid "cron"       schedule.
* If you specify the interval as a number, it may have a fractional       component; for example, 3.14
* To specify a cron schedule, use the following format:
  * "<minute> <hour> <day of month> <month> <day of week>"
  * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values.
* The cron implementation for data inputs does not currently support names of months or days.
* The special value 0 forces this scripted input to be run continuously.
  As soon as the script exits, the input restarts it.
* The special value -1 causes the scripted input to run once on start-up.
* NOTE: when you specify a cron schedule, the input does not run the script on start-up.
* Default: 60.0

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...