Input Script as a Data to Index the same in Splu...

anandhalagarasa · ‎06-21-2017

We got an requirement to input data via script and I am new to it. so how to achieve it.

So how to achieve it...

jkat54 · ‎06-21-2017

Create a shell script:

touch ssecls_executer.sh
chmod +x ssecls_executer.sh

Paste this into the shell script:

#!/usr/bin/env bash
/opt/SYMCScan/ssecls/ssecls -server 127.0.0.1 /bin/ls

Copy the shell script to a bin folder in a splunk app of your choice

mkdir /opt/splunk/etc/apps/MyAPP
mkdir /opt/splunk/etc/apps/MyAPP/bin
cp ssecls_executer.sh /opt/splunk/etc/apps/MyAPP/bin

Make an inputs.conf that runs the script:

mkdir /opt/splunk/etc/apps/MyAPP/default
touch /opt/splunk/etc/apps/MyAPP/default/inputs.conf

Paste this into the inputs.conf:

[script:///opt/splunk/etc/apps/MyApp/bin/ssecls_executer.sh]
interval = 60 # OR whatever interval in seconds / cron schedule you want to execute on (see inputs.conf documentation)
index = indexName
sourcetype = ssecls_executer
source = ssecls_executer.sh

Restart splunk and profit.

Input Script as a Data to Index the same in Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation