Solved: Backfill Scripted Input Data

raidercom · ‎09-08-2021

I'm running Splunk 8.2.2 in a docker container.

I'm using a separate app with a scripted input to get data into Splunk via a bash script.

That script works perfectly, except when the source API screws up, or when I delete the index and need to backfill all of the previous data.

The scripted input is setup in inputs.conf as:

[script://$SPLUNK_HOME/etc/apps/app/bin/app.sh]
interval = */5 * * * *

Is there a way to manually run a script one time and have splunk consume the output? I'd really like to avoid setting up a regular monitor, and have splunk consume a regular file just for a backfill operation. I'd also like to avoid modifying the working scripted input.

Thank you for any suggestions you can provide.

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

View solution in original post

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

Backfill Scripted Input Data

scripted input

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation