Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can one have visibility through searches of Data Integrity checks operations in Splunk?

skender27
Contributor
‎09-20-2016 05:21 AM

Hi,

Me and my collegue are thinking of a report (then placed in a dashboard) about having visibility on data integrity check Splunk performs.
Once activated the stanza in indexes.conf and executed the Splunk comand: splunk check-integrity –index <index_name>, how can we in search time have some visualization about such activity?

Thanks,
Skender

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2016 05:50 AM

You have to do the following steps:
- create a script with your command,
- put it into your app's bin directory,
- create an input stanza in your inputs.conf

for example:
script file check_integrity.sh
splunk check-integrity –index index_to_check

inputs.conf
[script://$SPLUNK_HOME/etc/apps/yourapp/bin/check_integrity.sh]
disabled = 0
index = your_index
interval = 60.0
sourcetype = your_sourcetype
source = your_source

index_to_check is the index to check integrity
your_index is the index you create where you store the script results

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2016 05:50 AM

You have to do the following steps:
- create a script with your command,
- put it into your app's bin directory,
- create an input stanza in your inputs.conf

for example:
script file check_integrity.sh
splunk check-integrity –index index_to_check

inputs.conf
[script://$SPLUNK_HOME/etc/apps/yourapp/bin/check_integrity.sh]
disabled = 0
index = your_index
interval = 60.0
sourcetype = your_sourcetype
source = your_source

index_to_check is the index to check integrity
your_index is the index you create where you store the script results

Bye.
Giuseppe

Reply
Solved! Jump to solution

gurlest
Path Finder
‎05-13-2019 11:37 AM

We are trying to do something similar with a loop to catch all of our indexes:

#!bin/bash
for path in /opt/data/*/*; do splunk check-integrity -index ${path##*/} -verbose; done

However, I have noticed that the results of the command are only output to splunkd.log. I can find the output of the commands in the "_internal" index, but not in the index specified in inputs.conf

Do you have any guidance on how to get the results ingested into an index other than _internal?

0 Karma
Reply
Solved! Jump to solution

potnuru
Path Finder
‎06-02-2020 10:27 AM

Hi @gurlest
Did you find the solution of the above query?
I am looking for the solution for the same query.

I need to capture the output of check-integrity command (which runs through script ) to specified index in Splunk.

0 Karma
Reply
Solved! Jump to solution

gurlest
Path Finder
‎06-02-2020 01:01 PM

Yes, we did. We have been able to get it working like a champ. However, I would be a poor Splunk Admin if I didn't say this, as well: THIS IS HUGELY RESOURCE INTENSIVE. Ok. Now that that's out of the way... 🙂

Inputs > data_integrity_checks/local/inputs.conf

[script://./bin/integrity_checks.sh]
disabled = 0
interval = 3 10 * * 6
index = system_events
sourcetype = audit:integrity

Script > data_integrity_checks/bin/integrity_checks.sh

#!/bin/bash
IDX='/opt/splunk/etc/slave-apps/data_integrity_checks/local/dataintegrity_indexes.txt'
for index in $(<$IDX); do $SPLUNK_HOME/bin/splunk check-integrity -index $index -verbose 2>&1; done

The script runs based on the list of indexes on the dataintegrity_indexes.txt file, or you could just pass a list of index names.

Reply
Solved! Jump to solution

potnuru
Path Finder
‎06-04-2020 08:20 AM

@gurlest Thank you for the response, I will try the above given solution.

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎09-20-2016 07:43 AM

Hi Giuseppe,

I tried, but I get only indexed the Splunk comands and no output ("Total buckets checked... etc etc").
Since I am using Windows OS there should be smth to modify with the .bat file to get the standard output...

Is it possible to get the indexed events in the _audit index (and not a custom one)?

Thanks,
Skender

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2016 10:01 AM

you have to give the execution rights to the script: if you use operative commands like "query session" the script is correctly executed and output indexed in Splunk.
everyway, you could schedule om Windows the execution of the script as an administrator writing results in a txt file that you can take with Splunk.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎10-14-2016 12:59 AM

I understand.
Thanks again!

Skender

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...