Solved: Backfill Scripted Input Data

raidercom · ‎09-08-2021

I'm running Splunk 8.2.2 in a docker container.

I'm using a separate app with a scripted input to get data into Splunk via a bash script.

That script works perfectly, except when the source API screws up, or when I delete the index and need to backfill all of the previous data.

The scripted input is setup in inputs.conf as:

[script://$SPLUNK_HOME/etc/apps/app/bin/app.sh]
interval = */5 * * * *

Is there a way to manually run a script one time and have splunk consume the output? I'd really like to avoid setting up a regular monitor, and have splunk consume a regular file just for a backfill operation. I'd also like to avoid modifying the working scripted input.

Thank you for any suggestions you can provide.

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

View solution in original post

raidercom · ‎09-11-2021

I ended up merging 2 solutions.

1) scripted input that runs a bash script that outputs to a file

2) monitor that log file

Backfill Scripted Input Data

scripted input

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Backfill Scripted Input Data

scripted input

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...