Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invoke "oneshot" via remote CLI

bnolen
Path Finder
‎08-03-2010 12:22 AM

Is it possible to use the oneshot command from a remote server.

Essentially we have a series of logs that are not able to be accessed by a forwarder in the normal ways (because of permissions etc.) is it possible to use the oneshot function to get the logs into a remote indexer using the CLI?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-03-2010 12:33 AM

No. Invoking the oneshot command (splunk add oneshot) causes the indexer to index a file locally on the indexer, regardless of how you invoke it.

However, if you're able to use the CLI from the machine where the data is stored, then you must have an instance of Splunk there. This instance could certainly be set up as a forwarder with outputs to the indexer, and no inputs. You can then call oneshot locally, and it would forward the data. I guess I don't really see a normal situation where you'd be able to use the CLI locally but not be able to forward.

Of course if it is oneshot, you can always just copy the files over to the indexer using some other method (scp, sftp, whatever) and then oneshot them or place them in the batch directory.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-03-2010 12:33 AM

No. Invoking the oneshot command (splunk add oneshot) causes the indexer to index a file locally on the indexer, regardless of how you invoke it.

However, if you're able to use the CLI from the machine where the data is stored, then you must have an instance of Splunk there. This instance could certainly be set up as a forwarder with outputs to the indexer, and no inputs. You can then call oneshot locally, and it would forward the data. I guess I don't really see a normal situation where you'd be able to use the CLI locally but not be able to forward.

Of course if it is oneshot, you can always just copy the files over to the indexer using some other method (scp, sftp, whatever) and then oneshot them or place them in the batch directory.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-03-2010 06:10 AM

rather, you should have no problem running oneshot on the forwarder where your files are. even if you could run oneshot remotely (I guess you could), it wouldn't do what you want. running it locally does.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-03-2010 02:01 AM

I suppose my point is that if you can run oneshot, you can run a forwarder to forward to the indexer. Oneshot works locally where it is run. Hence, you have no problem.

0 Karma
Reply
Solved! Jump to solution

bnolen
Path Finder
‎08-03-2010 12:52 AM

The indexer is managed by a 3rd party hence I have no "direct" access to its file system. The logs are transferred once a day by scripts and the locations are only accessible by interactive logins, hence the oneshot requirement.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...