I have a working scripted input using the first method below, however I'm wanting to get rid of the hard coding of SPLUNK_HOME and make it dynamic as sometimes Splunk is installed in different locations. I tried 3 different dynamic variations which all fail with the following message in the splunkd.log
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\TA-btool-Win\bin\TA-btool.bat"" The filename, directory name, or volume label syntax is incorrect.
.bat file below
#TA-btool.bat # working, however, using a hard coded path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" btool --debug outputs list # fails "%SPLUNK_HOME%\bin\splunk.exe" btool --debug outputs list # fails "$SPLUNK_HOME\bin\splunk.exe" btool --debug outputs list # fails "..\..\..\..\bin\splunk.exe" btool --debug outputs list
inputs.conf file below
[script://.\bin\TA-btool.bat] disabled = 0 # set index below which will receive events - defaults to main #index = splunk_admin_p # every 60 seconds #interval = 60.0 # every 5 minutes #interval = 300.0 # every hour #interval = 6000 # once a day - default interval = 86400.0 # 15 minutes #interval = 900 sourcetype = ta_btool
You can alternatively grab my Windows TA/scripted input here: http://downloads.jordan2000.com/splunk/TA-btool-Win.tgz
and a Linux version which could be used for comparison: http://downloads.jordan2000.com/splunk/TA-btool-Linux.tgz
btw, the Linux .sh version works just fine using $SPLUNK_HOME - I just couldn't solve how to do the equivalent on Windows using a .bat.
I will award Karma points to a working solution for the .bat file
To load Windows system variables
But it does not recognize the blank.
ex) C:\Program Files\Splunk
So we need to change
You use Windows system variables
ex) set SPLUNK_HOME="C:\Program Files\Splunk"
need double quotes
I must have had a typo somewhere or possibly had bad statements mixed with good. Ultimately, I got it to work with the following format in my .bat file.
"%SPLUNK_HOME%\bin\splunk.exe" btool --debug inputs list "%SPLUNK_HOME%\bin\splunk.exe" btool --debug outputs list "%SPLUNK_HOME%\bin\splunk.exe" btool --debug props list "%SPLUNK_HOME%\bin\splunk.exe" btool --debug limits list "%SPLUNK_HOME%\splunk.exe" btool --debug server list "%SPLUNK_HOME%\bin\splunk.exe" btool --debug web list "%SPLUNK_HOME%\bin\splunk.exe" btool --debug deploymentclient list
In your script, if you change to
REM This will get the splunk.exe path dynamically within a bat file. for /f "delims=" %%a in ('where /r c:\ splunk.exe') do @set SPLUNK_EXE=%%a %SPLUNK_EXE% btool inputs list --debug %SPLUNK_EXE% btool outputs list --debug ..
and so on for Windows
Also another improvement you could do is to provide (inputs, outputs, limits, props) as a list and call in a for loop within .bat file
something like below
FOR %%CONFS IN (inputs, outputs, limits, props) DO ( %SPLUNK_EXE% btool %CONFS% list --debug )
Thanks for the ideas, @koshyk. The where command seems fairly intense on my Windows workstation CPU to recursively look for splunk.exe so I don't think I could push out to the Universal Forwarders on Windows servers.
Make sure you've defined the
%SPLUNK_HOME% as a variable on your windows or you won't be able to use it from a
.batscript since it's actually a Splunk defined variable :
If you want to use a relative path as follows
..\..\..\..\bin\splunk.exe my advise is to output an
ls from the script and see if you are hitting the right folder.
Thanks or you suggestions, @DavidHourani Should %SPLUNK_HOME% already be set by the parent process since this is a process being spawned as a scripted input by a either Splunk or the Splunk Universal Forwarder?
BTW, on Linux it does seem to have $SPLUNK_HOME available to it. It may very well be different on Windows. I was able to add the following statement to my .bat file.
and it did return back a valid value.
The following showed up in the event indexed by Splunk.
C:\WINDOWS\system32>echo C:\Program Files\Splunk
This leads me to think that I have a minor issue with surrounding the command or portions of the command with double or single quotes, etc. so it's properly interpreted at run time.