Input Script as a Data to Index the same in Splu...

anandhalagarasa · ‎06-21-2017

We got an requirement to input data via script and I am new to it. so how to achieve it.

So how to achieve it...

jkat54 · ‎06-21-2017

Create a shell script:

touch ssecls_executer.sh
chmod +x ssecls_executer.sh

Paste this into the shell script:

#!/usr/bin/env bash
/opt/SYMCScan/ssecls/ssecls -server 127.0.0.1 /bin/ls

Copy the shell script to a bin folder in a splunk app of your choice

mkdir /opt/splunk/etc/apps/MyAPP
mkdir /opt/splunk/etc/apps/MyAPP/bin
cp ssecls_executer.sh /opt/splunk/etc/apps/MyAPP/bin

Make an inputs.conf that runs the script:

mkdir /opt/splunk/etc/apps/MyAPP/default
touch /opt/splunk/etc/apps/MyAPP/default/inputs.conf

Paste this into the inputs.conf:

[script:///opt/splunk/etc/apps/MyApp/bin/ssecls_executer.sh]
interval = 60 # OR whatever interval in seconds / cron schedule you want to execute on (see inputs.conf documentation)
index = indexName
sourcetype = ssecls_executer
source = ssecls_executer.sh

Restart splunk and profit.

Input Script as a Data to Index the same in Splunk

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Join the Conversation

Input Script as a Data to Index the same in Splunk

New Year, New Changes for Splunk Certifications

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...