Getting Data In

Guide for creating Add-ons to deploy to (Universal)Forwarders?

kentcoble
Explorer

Our department needs to collect the serial numbers of all physical drives connected to all machines within our network. Since there are over 1000 hosts, we would like to be able to collect this information within Splunk on a fixed interval. Since the Splunk Add-On for Windows and Splunk Add-On for *nix doesn't contain this information, I've developed a Python script that can collect this for us. (A Powershell version for Windows will have to be developed.)

I've reviewed the documentation for Scripted Inputs but this appears to be a manual process for each host. The Add-on Builder also appears to be limited to just Splunk servers. I cannot, for the life of me, find a guide on how to create Add-ons for deployment with UniversalForwarders. I've even tried to review the Windows and *nix Add-Ons but they're very complex.

Can someone point me to any official documentation for creating Add-Ons that are compatible with UniversalForwarders, or to blog posts or any other kind of reference?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi kentcoble,

I'm not sure if there is a special docs page about this topic, but basically what you need to do at a minimum is to create your add-on folder that contains a bin and a local directory. Store your scripts in the bin folder, make sure it is executable, and configure the inputs.conf in local like this for *nix:

[script://./bin/YourScriptNameHere.py]
interval = inSeconds or cronSchedule
sourcetype = something
index = another one

and like this for Windows:

[script://.\bin\YourScriptNameHere.ps]
interval = inSeconds or cronSchedule
sourcetype = something
index = another one

This should do it and you can deploy it to the universal forwarder.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi kentcoble,

I'm not sure if there is a special docs page about this topic, but basically what you need to do at a minimum is to create your add-on folder that contains a bin and a local directory. Store your scripts in the bin folder, make sure it is executable, and configure the inputs.conf in local like this for *nix:

[script://./bin/YourScriptNameHere.py]
interval = inSeconds or cronSchedule
sourcetype = something
index = another one

and like this for Windows:

[script://.\bin\YourScriptNameHere.ps]
interval = inSeconds or cronSchedule
sourcetype = something
index = another one

This should do it and you can deploy it to the universal forwarder.

Hope this helps ...

cheers, MuS

kentcoble
Explorer

Works like a charm! Thank you so much!

0 Karma

kentcoble
Explorer

I would just save this under $SPLUNK_HOME/etc/deployment-apps/$NewAppName? Does it need anything else (i.e. metadata or default folders)?

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, it goes in that directory. metadata would be needed if you want to export system wide or set permission within Splunk on apps objects. You can also put it into the default folder, my 2cents here: put it into local

cheers, MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...