- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I run the btool command on a universal forwarder without running shell or powershell script?
I would like to run a scheduled Splunk btool command using scripted input to index configs every few hours. I cannot put this command in .sh or any script file and give it as input to scripted input in Splunk due to limitation of running scripts on our Windows universal forwarders.
So, I have put path file under bin dir of app, and pointed the .path file in scripted input like
[Script//./bin/file.path]
And
The path file contains the below command:
/opt/splunk/bin/splunk cmd btool inputs list —debug
But it is not running the Splunk btool cmd when pointed from the .path file. It's not indexing data.
The path file can only point and run external scripts in .sh or .exe formats.
Is there any possibility to run the btool command on UFs without using .exe scripts on Windows in scheduled based by Splunk inputs?
My requirement is to index config data every day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ankithreddy777, you said -
-- My requirement is to index config data every day
Are you trying to use /opt/splunk/bin/splunk cmd btool inputs list -debugto index data? because the purpose of this command is to display the existing configurations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ddrillic, i am using scripted input to point to a path file.
[Script//./bin/file.path]
In the .path file, I am giving btool command to run in debug mode.
/opt/splunk/bin/splunk cmd btool inputs list -debug
The above command is not executed to give required output and index it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, now I got it ; -)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've done the same thing mostly for auditing our forwarder configs and making searchable in the Splunk UI.
I've created my own technical addons for forwarders to run btool as a scripted input which run a .sh script for Linux and and .bat file for Windows.
Linux - may work on other unix OSs as well
http://downloads.jordan2000.com/splunk/TA-btool-Linux.tgz
Windows
http://downloads.jordan2000.com/splunk/TA-btool-Win.tgz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot run the .bat scropts on windows servers due to some windows servers restrict to run .bat scripts. Is there any option to schedule btool command and index data from it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have your own mechanism/windows scheduler option to invoke the splunk btool command, you could certainly direct that output to a log and then have the Splunk Universal Forwarder monitor said log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the purpose of running btool everyday? I see you want to index configuration data every day. Why not just use a REST command via the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to run btool for audit configurations from all UF. Rest is no good option for is due to security reasons. We are looking to use some local inputs without executing .bat script on windows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So why are you wanting to collect conf file information from all the forwarders? Are you trying to monitor who modified a configuration? If so, then you could use version control for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to monitor who accidently changed the configurations on windows UF.
May I know How to use version control for this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think ingesting configuration files each day is a bad idea for this. It will also cost you money via the license cost to do this aswell. A better approach would be to use the deployment server to exclusively send configuration files to the forwarders and lock down that user of that config file on the host. You should then use BitBucket to version control your deployment server files that are sent to the hosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you cannot run the Splunk btool commands from the command line, I think you need to go with with the first suggestion of @skoelpin to use the REST API.
https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTconfigurations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
REST API is definitely a good option, however not sure the coding required to pull back all attributes, and you do have to have network connectivity to attach to the Splunk management port which I find is often blocked in certain network zones.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, as in most cases, it depends. OP hasn't specified what conf files or from what components, so it's all speculation at this point
