- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Can you set a certain time forwarding occurs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How often does a forwarder check its logs and forward data?
Can I set some sort of configuration where forwarders only forward data at lets say 12:00 AM at night?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way to accomplish this would be a scripted input with Splunk's CLI "add one shotmore" command or with the type/cat command. My example to does not have any logic to handle datetime appends to file names.
Additional info:
On your forwarer edit you inputs.conf
#windows
[script://.daily_file.bat c:\somedir\somelog.log]
disabled = true
index = main
source = c:\somedir\somelog.log
sourcetype = ras
interval = 0 0 * * *
#*nix
[script://./bin/daily_file.sh /somedir/somelog.log]
disabled = true
index = main
source = /somedir/somelog.log
sourcetype = ras
interval = 0 0 * * *
Option 1
#*nix
#!/bin/bash
$SPLUNK_HOME/bin/splunk add oneshot $1 -auth admin:changeme
done
#windows
echo off
%splunk%\splunk add oneshot %1 -auth admin:changeme
Option 2
This will read the output from cat or type which would normally be displayed on your CMD prompt.
#*nix
#!/bin/bash
cat $1
done
#windows
echo off
type %1
Hope this helps you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All scripted inputs are ran on the cron notation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for clarification Option1 is a script ran by cron or task manager, while Option 2 is a scripted input in Splunk.
also note that there should be two additional * for the cron entry
ie. 0 0 * * *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@aywong, Why would you want to collect at midnight, can you give your use case?
Ayn is correct there is not a way directly built into splunk for exact time based forwarding of data, but there are ways to accomplish this. Most monitoring done on a poll interval.
File monitoring is based on file checksum. I belive it isendpoint_md5 by default.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you cannot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The forwarder sends data as soon as it has any to send. How often it CHECKS data depends entirely on which type of input you're talking about. Some inputs, like scripted inputs and WMI inputs, will run at certain configurable intervals. Other inputs, like a regular file monitor, will check on such a regular basis that you can consider it to be more or less real-time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay thanks, do you know how often a forwarder checks and forwards data though?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
