Hi All,
A straight question
1) If I want to get the database related log into splunk indexer using scripted inputs , does the Universal forwarder needs to be installed in host ?
2)If Yes , How to make the scripted input to send the log into indexer ?
Thank you !
Hi raj_mpl,
if you use a scripted inputs it's better to install a Universal Forwarder on the target server for many reasons (cache, bandwidth optimization, compression, etc...), I don't like to run a remote script.
Anyway, to do this, you have to:
edit $your_TA/local/inputs.conf and adding a stanza like the following.
[script://./bin/your_script.sh]
disabled = 0
interval = 60
sourcetype = your_sourcetype
index = your_index
then restart the Universal Forwarder.
It's better to deploy this TA using a Deployment Server.
Bye.
Giuseppe
Hi @raj_mpl,
Sure, Universal Forwarder is the preferred method to transfer scripted input data, but UF is not the only way to get the output of a script into Splunk.
There are plenty of reasons i can think of to not install a forwarder.. Unsupported OS; Corporate Security policies against agents; Oversubscribed boxes with limited resources; Because you don't want to.
Here is a method off the top of my head...
To make your life easier, have the script output one event per line, include a timestamp, and maybe use JSON or csv formatting to get the auto-field-extraction fun.
Hope this helps.
Thanks @darrenfuller , Your inputs are worth to me
Hi raj_mpl,
if you use a scripted inputs it's better to install a Universal Forwarder on the target server for many reasons (cache, bandwidth optimization, compression, etc...), I don't like to run a remote script.
Anyway, to do this, you have to:
edit $your_TA/local/inputs.conf and adding a stanza like the following.
[script://./bin/your_script.sh]
disabled = 0
interval = 60
sourcetype = your_sourcetype
index = your_index
then restart the Universal Forwarder.
It's better to deploy this TA using a Deployment Server.
Bye.
Giuseppe
Thanks @cusello , Its very clear that you have explained here .