Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Configured .sh scripts not being run/reporting data

joewetzel63
Loves-to-Learn
‎01-24-2025 05:54 AM

I created .sh scripts that do the following:

#!/bin/bash

# Name of the service to monitor
SERVICE_NAME="tomcat9"

# Check if the service is running
SERVICE_STATUS=$(systemctl is-active "$SERVICE_NAME.service")

# Output status for Splunk
if [ "$SERVICE_STATUS" == "active" ]; then
echo "$(date): Service $SERVICE_NAME is running."
else
echo "$(date): Service $SERVICE_NAME is NOT running."
fi



The above is obviously what Im using for Tomcat but I have others all doing the thing just different service names. These scripts reside in:

/opt/splunkforwarder/bin/scripts

Additionally I have configured these scripts to be run in /opt/splunkforwarder/etc/system/local/inputs.conf an example of what that looks like is below:

[script:///opt/splunkforwarder/bin/scripts/monitor_service_<service_name>.sh]

disabled = false
interval = 60
index = services
sourcetype = service_status



As you can see I also have configured the following:

index = services
sourcetype = service_status


These are also configured in Splunk Enterprise respectively and the index is configured for Search, in linux  Splunk is the owner and the group is also Splunk. Additionally all of the scripts are executable and successfully run when I test them, however none of this data seems to be passed from the forwarder as none of the expected data is returned including the recognition of the index and sourcetype in Search.  Additionally I have attached a screen capture of splunkd.log showing the scripts as being recognized.  

2025-01-24_08-46-50.png

Labels (1)
Labels
0 Karma
Reply

splunkreal
Influencer
‎01-24-2025 06:53 AM

Hello, as best practise you should create and deploy an app from deployment server with your inputs.conf and script. Also make sure you include a valid timestamp at the beginning of the output in US format.

Follow these instructions : https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/scriptedinputsexampl...

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2025 07:14 AM

Yes, packaging your content into an app is a good practice but it shouldn't matter much if it's in apps/<app>/local or system/local for actually running the config (unless the settings get overwritten of course).

And no, timestamp doesn't have to be in US format. That's what time parsing sourcetype settings are for.

But back to the @joewetzel63 's issue - did you try running the script "as Splunk"? With

splunk cmd /opt/splunkforwarder/bin/scripts/whatever.sh
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...