Solved: Backfill Scripted Input Data

raidercom · ‎09-08-2021

I'm running Splunk 8.2.2 in a docker container.

I'm using a separate app with a scripted input to get data into Splunk via a bash script.

That script works perfectly, except when the source API screws up, or when I delete the index and need to backfill all of the previous data.

The scripted input is setup in inputs.conf as:

[script://$SPLUNK_HOME/etc/apps/app/bin/app.sh]
interval = */5 * * * *

Is there a way to manually run a script one time and have splunk consume the output? I'd really like to avoid setting up a regular monitor, and have splunk consume a regular file just for a backfill operation. I'd also like to avoid modifying the working scripted input.

Thank you for any suggestions you can provide.

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

View solution in original post

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

Backfill Scripted Input Data

scripted input

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?