Hey guys,
Just read this and was left a little confused, (my first time using Splunk so please forgive me)
http://docs.splunk.com/Documentation/Splunk/latest/Developer/ScriptedInputsIntro
Essentially I have a nice Perl script which I am using in Nagios. I would like to move the script into Splunk and inject the results into splunk. So scripted input, right?
After that I just assume Splunk indexes it like any other syslogger would with date time, source?
Thanks in advance!
I have written an app called 'Splunk for Nagios' which will do exactly what you're after 🙂
http://splunk-base.splunk.com/apps/22374/splunk-for-nagios
Essentially, you ingest the nagios log file into Splunk which gives you the ability to see all of your nagios events, including the output of your nagios plugins 🙂
All the best,
Luke 🙂
Quick answers to your questions:
#!/usr/bin/perl
(or whatever your perl path is) at the start of your script, you're good to go.interval
for a scripted input in the file inputs.conf. The sourcetype etc to use when gathering the script's output into Splunk are also set in this file, so it's a good idea to read the reference on it: $SPLUNK_HOME/etc/system/README/inputs.conf.{spec,example}
or online: http://docs.splunk.com/Documentation/Splunk/latest/Admin/InputsconfThe results from your scripted input are handled as with any source of logs fed into Splunk. If there are timestamps in it, Splunk will use that. If not, Splunk will revert to other mechanisms to determine a timestamp, for instance using the time the event arrived to Splunk. For more information on how Splunk determines timestamps, check http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps