So you are contemplating recreating all of the functionality that a forwarder provides by coding it yourself and using the
oneshot command and the method of injecting stuff into Splunk? WHY???? That is crazy! I find it difficult to imagine something that you might like to add to a forwarder that you cannot already do using Splunk's own forwarder configuration capabilities. Are you joking or am I misunderstanding you?
I'm not but I need reasons to convince my team otherwise.
What else does it provide besides buffering, failover, and a round robin load balance (not a true load balance)? That is what I'm trying to explain to them.
Let's see: SSL, multiple destinations, buffering, transforming, timezoning, debugging tools, C&C by Deployment Server, Integration into DMC...
Not to mention Windows event log black/white lists, continuous file monitoring (oneshot would have to be scripted), Windows perfmon/powershell collection natively, etc etc etc.
@jaredlaney, what problem is your team seeing that caused this change of heart? I bet it can be fixed......
Our files are static and we don't do Windows but definitely true.
We have static log files that get created once a day and we're looking for a way to verify that the data made it to Splunk. We're thinking that we'd have to query Splunk through the Rest interface to verify that the data made it.
Then, simply put, use the UF. Then in Splunk, write a saved scheduled report that finds that data. If count < 1, then it didn't make it. If it is count > 0, then you are good to go.
Thanks for the ammunition. They relented... 🙂