Solved: Backfill Scripted Input Data

raidercom · ‎09-08-2021

I'm running Splunk 8.2.2 in a docker container.

I'm using a separate app with a scripted input to get data into Splunk via a bash script.

That script works perfectly, except when the source API screws up, or when I delete the index and need to backfill all of the previous data.

The scripted input is setup in inputs.conf as:

[script://$SPLUNK_HOME/etc/apps/app/bin/app.sh]
interval = */5 * * * *

Is there a way to manually run a script one time and have splunk consume the output? I'd really like to avoid setting up a regular monitor, and have splunk consume a regular file just for a backfill operation. I'd also like to avoid modifying the working scripted input.

Thank you for any suggestions you can provide.

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

View solution in original post

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

Backfill Scripted Input Data

scripted input

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?

Are you a member of the Splunk Community?

Backfill Scripted Input Data

scripted input

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?