Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can't launch bat file at UF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to launch some batch file but UF don't want to do this.
My input.cong contain:
[script://.\bin\script\LogCheck.bat 2018-07]
disabled = 0
interval = 300
index = werrorindex
sourcetype = sql_audit
2018-07 is a parametr of launch the batch
If I use in cmd LogCheck.bat 2018-07 it works fine.
Help me please to find the issue..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @atyshke1
can you follow this link
https://answers.splunk.com/answers/242242/how-to-run-batch-file-in-splunk.html
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I can start bat file,
But I have another issue now. Bat file start ok when I start it by myself. When I restart UF, he try to start bat file. AS per splunkd.log it start then create a files but after some jobs with those files the files doesn't copy to folder where located UF. If I start again by myself, the csript will do all jobs which indicated in bat file. It seems that universal forward can't do any command in bat file or maybe UF need additional NTFS permission. How can I check this? I can't see any error info in splunkd.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @atyshke1
can you follow this link
https://answers.splunk.com/answers/242242/how-to-run-batch-file-in-splunk.html
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The second link doesn't work
Regarding first link, I tried and it works but doesn't work with my code 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I tried to use this code:
[script://$SPLUNK_HOME\etc\apps\SQL_Failed_logon\bin\script\LogCheck.bat]
disabled = 0
interval = 300
sourcetype = SQL_Audit
and if I insert a code into LogChecked.bat as:
echo This is a test > "C:\Program Files\Splunk\var\log\splunk\test.txt"
echo 123 >> "C:\Program Files\Splunk\var\log\splunk\test.txt"
echo 245.67 >> "C:\Program Files\Splunk\var\log\splunk\test.txt"
It.s work fine.
But if I insert a code into LogChecked.bat as:
@Echo Off
SetLocal EnableExtensions EnableDelayedExpansion
For /F "Delims=" %%I In ('Hostname') Do Set V=%%~I
setlocal enabledelayedexpansion
set d=%date:~0,2%
set m=%date:~3,2%
set y=%date:~6,4%
if %d:~0,1%==0 set d=%d:~1%
if %m:~0,1%==0 set m=%m:~1%
set /a feb=y%%4
if %feb%==0 (set feb=29) else (set feb=28)
set /a tok=m-1
if %tok%==0 set tok=12
for /f "tokens=%tok%" %%i in ("31 %feb% 31 30 31 30 31 31 30 31 30 31") do (
:: минус 1 month set /a m-=1
set /a m-=1
if !d!==0 (
set d=%%i
set m=%tok%
if !m!==12 set /a y-=1
)
)
set d=0%d%
set m=0%m%
set lastmonth=%y%-%m:~-2%
@copy "\%V%\SQLLOGS$\ERRORLOG." errorlog..%V% /Z
@find "%lastmonth%" Errorlog..%V% > out2.%V%
@find "%lastmonth%" Errorlog.1.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.2.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.3.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.4.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.5.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.6.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.7.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.8.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.9.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.10.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.11.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.12.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.13.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.14.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.15.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.16.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.17.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.18.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.19.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.20.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.21.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.22.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.23.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.24.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.25.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.26.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.27.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.28.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.29.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.30.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.31.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.32.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.33.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.34.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.35.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.36.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.37.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.38.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.39.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.40.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.41.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.42.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.43.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.44.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.45.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.46.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.47.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.48.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.49.%V% >> out2.%V%
@find "%lastmonth%" Errorlog.50.%V% >> out2.%V%
@find "Logon" out2.%V% > out.%V%
@del out2.*
MonthREport2005.exe %lastmonth% out.%V% outlog%V%.txt %V% 2008
@type outlog%V%.txt >> SumLog.txt
@del Errorlog*
@del outlog%V%.txt
:@del out.*
It doesn't work. How can I check what happened in splunk and why this is not work?
If I start this code throught cmd it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@atyshke1,
I think the issue is with the path of the script .Instead of .\ it should be $SPLUNK_HOME or the splunk home path.
Refer this link:
https://docs.splunk.com/Documentation/Splunk/7.1.2/AdvancedDev/ScriptSetup
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this:
[script://$SPLUNK_HOME/etc/apps/SQL_Failed_logon/bin/script/log.bat]
disabled = 0
interval = 300
index = werrorindex
sourcetype = sql_audit
But it didn't help
I created a log.bat for test with simple code:
echo This is a test > "C:\Program Files\SplunkUniversalForwarder\etc\apps\SQL_Failed_logon\bin\script\test.txt"
echo 123 >> "C:\Program Files\SplunkUniversalForwarder\etc\apps\SQL_Failed_logon\bin\script\test.txt"
echo 245.67 >> "C:\Program Files\SplunkUniversalForwarder\etc\apps\SQL_Failed_logon\bin\script\test.txt"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
