Getting Data In

How to push a script out to remote forwarders?

yonphang
Explorer

hello everyone,

I saw multiple post regarding this but couldn't really understand the architect behind.

We have 3000 forwarders checked in to the server. We have Windows and Linux server classes. We also created apps to push the configuration files to all the forwarders.

But now we would like to implement resource monitoring thru the agent. I wrote a batch script that would query the CPU usage and memory every minute, then output to a txt file, and get pushed out to the Splunk indexer.

I knew that if I need to run the script on the remote machine, I would need to place the script under $SPLUNK_HOME/etc/apps/MYAPP/bin.
Question is, how I can do that? Isn't that as simple as putting the script in the "app" and then restart the splunk agent, then the agents will pick up whenever it's there? Am I right? And what configuration do I need to specifically to make the script run?

I am new to Splunk, haven't got chance to take any training as the company did not provide any. I learn as I go.

Thank you

0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi yongphang, You'll want to utilize the deployment server to have the app delivered to the forwarders : http://docs.splunk.com/Documentation/Splunk/6.2.5/Updating/Updateconfigurations

One thing to keep in mind is that, if you are using the Universal Forwarder it does not come with python bundled. Your scripted inputs will have to utilize native OS utilities, or otherwise have any dependencies already satisfied.

Let me know if this makes sense 😄

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Add a script:// entry to inputs.conf (<-- click that for docs), it'll automagically index stdout.

If you have a mix of windows and linux deployment servers, make sure the linux forwarders are supplied by a linux deployment server with the x bit set.

0 Karma

s0rbeto
Explorer

thanks Martin, what do u mean by specifiying x bit set?
I dont know anything about that, can you explain a lil bit over here?
I appreciate that

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Linux file permissions - Read, Write, eXecute. IIRC those permissions are carried over to the UF, and a shell script without the bit set won't execute.

0 Karma

yonphang
Explorer

it is mixture of windows and unix/linux, i was creating a batch script for windows and bash for unix/linux.
I got the output file monitored under input.conf, how about to get the script to be run? Also under input.conf??
How can i tell its running? How about making the splunk suck in the output directly instead of picking up the txt file??
Thank you

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Is it a windows or linux deployment server? I recall there were some issues around windows deployment servers not being able to correctly transmit the x bits to allow script execution.

Did you put the script into inputs.conf? Did you put a monitor entry into inputs.conf to monitor the files created by the script?
Consider reading the input directly, instead of writing to a file and monitoring that file.

MuS
SplunkTrust
SplunkTrust

here is a link on how to fix the execution problem http://answers.splunk.com/answers/70039/windows-deployment-server-to-nix-deployment-client-permissio... if you deploy from a windows deployment server to *nix clients

muebel
SplunkTrust
SplunkTrust

Hi yongphang, You'll want to utilize the deployment server to have the app delivered to the forwarders : http://docs.splunk.com/Documentation/Splunk/6.2.5/Updating/Updateconfigurations

One thing to keep in mind is that, if you are using the Universal Forwarder it does not come with python bundled. Your scripted inputs will have to utilize native OS utilities, or otherwise have any dependencies already satisfied.

Let me know if this makes sense 😄

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...