Getting Data In

Can I run the btool command on a universal forwarder without running shell or powershell script?

ankithreddy777
Contributor

I would like to run a scheduled Splunk btool command using scripted input to index configs every few hours. I cannot put this command in .sh or any script file and give it as input to scripted input in Splunk due to limitation of running scripts on our Windows universal forwarders.

So, I have put path file under bin dir of app, and pointed the .path file in scripted input like

[Script//./bin/file.path]

And
The path file contains the below command:

/opt/splunk/bin/splunk cmd btool inputs list —debug

But it is not running the Splunk btool cmd when pointed from the .path file. It's not indexing data.

The path file can only point and run external scripts in .sh or .exe formats.

Is there any possibility to run the btool command on UFs without using .exe scripts on Windows in scheduled based by Splunk inputs?

My requirement is to index config data every day

0 Karma

ddrillic
Ultra Champion

@ankithreddy777, you said -

-- My requirement is to index config data every day

Are you trying to use /opt/splunk/bin/splunk cmd btool inputs list -debugto index data? because the purpose of this command is to display the existing configurations.

0 Karma

ankithreddy777
Contributor

Hi @ddrillic, i am using scripted input to point to a path file.

[Script//./bin/file.path]

In the .path file, I am giving btool command to run in debug mode.

/opt/splunk/bin/splunk cmd btool inputs list -debug

The above command is not executed to give required output and index it

0 Karma

ddrillic
Ultra Champion

Ok, now I got it ; -)

0 Karma

bandit
Motivator

I've done the same thing mostly for auditing our forwarder configs and making searchable in the Splunk UI.

I've created my own technical addons for forwarders to run btool as a scripted input which run a .sh script for Linux and and .bat file for Windows.

Linux - may work on other unix OSs as well
http://downloads.jordan2000.com/splunk/TA-btool-Linux.tgz

Windows
http://downloads.jordan2000.com/splunk/TA-btool-Win.tgz

ankithreddy777
Contributor

I cannot run the .bat scropts on windows servers due to some windows servers restrict to run .bat scripts. Is there any option to schedule btool command and index data from it

0 Karma

bandit
Motivator

If you have your own mechanism/windows scheduler option to invoke the splunk btool command, you could certainly direct that output to a log and then have the Splunk Universal Forwarder monitor said log.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

What's the purpose of running btool everyday? I see you want to index configuration data every day. Why not just use a REST command via the search?

0 Karma

ankithreddy777
Contributor

I want to run btool for audit configurations from all UF. Rest is no good option for is due to security reasons. We are looking to use some local inputs without executing .bat script on windows

0 Karma

skoelpin
SplunkTrust
SplunkTrust

So why are you wanting to collect conf file information from all the forwarders? Are you trying to monitor who modified a configuration? If so, then you could use version control for this.

0 Karma

ankithreddy777
Contributor

We are trying to monitor who accidently changed the configurations on windows UF.
May I know How to use version control for this

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I think ingesting configuration files each day is a bad idea for this. It will also cost you money via the license cost to do this aswell. A better approach would be to use the deployment server to exclusively send configuration files to the forwarders and lock down that user of that config file on the host. You should then use BitBucket to version control your deployment server files that are sent to the hosts

0 Karma

bandit
Motivator

If you cannot run the Splunk btool commands from the command line, I think you need to go with with the first suggestion of @skoelpin to use the REST API.

https://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTconfigurations

0 Karma

bandit
Motivator

REST API is definitely a good option, however not sure the coding required to pull back all attributes, and you do have to have network connectivity to attach to the Splunk management port which I find is often blocked in certain network zones.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Yeah, as in most cases, it depends. OP hasn't specified what conf files or from what components, so it's all speculation at this point

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...