Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Do we need to have universal forwarder install...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
A straight question
1) If I want to get the database related log into splunk indexer using scripted inputs , does the Universal forwarder needs to be installed in host ?
2)If Yes , How to make the scripted input to send the log into indexer ?
Thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi raj_mpl,
if you use a scripted inputs it's better to install a Universal Forwarder on the target server for many reasons (cache, bandwidth optimization, compression, etc...), I don't like to run a remote script.
Anyway, to do this, you have to:
- install the Splunk Universal Forwarder on the target server,
- create a Technical Add-on (TA),
- put your script in $your_TA/bin,
edit $your_TA/local/inputs.conf and adding a stanza like the following.
[script://./bin/your_script.sh]
disabled = 0Run once per minute
interval = 60
sourcetype = your_sourcetype
index = your_indexthen restart the Universal Forwarder.
It's better to deploy this TA using a Deployment Server.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @raj_mpl,
Sure, Universal Forwarder is the preferred method to transfer scripted input data, but UF is not the only way to get the output of a script into Splunk.
There are plenty of reasons i can think of to not install a forwarder.. Unsupported OS; Corporate Security policies against agents; Oversubscribed boxes with limited resources; Because you don't want to.
Here is a method off the top of my head...
- Create script that does $things$
- Install script on the target server
- Run script from cron and output result to file
- Transmit log file to remote syslog server
- Install UF on syslog server to forward data into Splunk.
To make your life easier, have the script output one event per line, include a timestamp, and maybe use JSON or csv formatting to get the auto-field-extraction fun.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @darrenfuller , Your inputs are worth to me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi raj_mpl,
if you use a scripted inputs it's better to install a Universal Forwarder on the target server for many reasons (cache, bandwidth optimization, compression, etc...), I don't like to run a remote script.
Anyway, to do this, you have to:
- install the Splunk Universal Forwarder on the target server,
- create a Technical Add-on (TA),
- put your script in $your_TA/bin,
edit $your_TA/local/inputs.conf and adding a stanza like the following.
[script://./bin/your_script.sh]
disabled = 0Run once per minute
interval = 60
sourcetype = your_sourcetype
index = your_indexthen restart the Universal Forwarder.
It's better to deploy this TA using a Deployment Server.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @cusello , Its very clear that you have explained here .
Building Reliable Asset and Identity Frameworks in Splunk ES
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
Automatic Discovery Part 3: Practical Use Cases
