Is it possible to use the oneshot command from a remote server.
Essentially we have a series of logs that are not able to be accessed by a forwarder in the normal ways (because of permissions etc.) is it possible to use the oneshot function to get the logs into a remote indexer using the CLI?
No. Invoking the oneshot command (
splunk add oneshot) causes the indexer to index a file locally on the indexer, regardless of how you invoke it.
However, if you're able to use the CLI from the machine where the data is stored, then you must have an instance of Splunk there. This instance could certainly be set up as a forwarder with outputs to the indexer, and no inputs. You can then call oneshot locally, and it would forward the data. I guess I don't really see a normal situation where you'd be able to use the CLI locally but not be able to forward.
Of course if it is oneshot, you can always just copy the files over to the indexer using some other method (scp, sftp, whatever) and then oneshot them or place them in the batch directory.
The indexer is managed by a 3rd party hence I have no "direct" access to its file system. The logs are transferred once a day by scripts and the locations are only accessible by interactive logins, hence the oneshot requirement.
I suppose my point is that if you can run oneshot, you can run a forwarder to forward to the indexer. Oneshot works locally where it is run. Hence, you have no problem.
rather, you should have no problem running oneshot on the forwarder where your files are. even if you could run oneshot remotely (I guess you could), it wouldn't do what you want. running it locally does.