Getting Data In

Scripted Input Question

daniel333
Builder

Hey guys,

Just read this and was left a little confused, (my first time using Splunk so please forgive me)
http://docs.splunk.com/Documentation/Splunk/latest/Developer/ScriptedInputsIntro

Essentially I have a nice Perl script which I am using in Nagios. I would like to move the script into Splunk and inject the results into splunk. So scripted input, right?

  1. Does it support perl? Bash? I only see Python (never heard of python until today)
  2. Seems like I must place my script file in every server that has the universal forwarder installed in a sub0-directory?
  3. How to I specify how often the script should kick off?

After that I just assume Splunk indexes it like any other syslogger would with date time, source?

Thanks in advance!

Tags (3)
0 Karma

lukeh
Contributor

I have written an app called 'Splunk for Nagios' which will do exactly what you're after 🙂

http://splunk-base.splunk.com/apps/22374/splunk-for-nagios

Essentially, you ingest the nagios log file into Splunk which gives you the ability to see all of your nagios events, including the output of your nagios plugins 🙂

All the best,

Luke 🙂

0 Karma

Ayn
Legend

Quick answers to your questions:

  1. Scripted input "supports" whatever script or other executable that your system supports, as it's the system's environment that is used. So if you have a working perl installation and refer to it by #!/usr/bin/perl (or whatever your perl path is) at the start of your script, you're good to go.
  2. Not entirely sure what you mean, but yes, every system that you plan to run the scripted input on needs a copy of that script.
  3. The interval for running the script is controlled by the parameter interval for a scripted input in the file inputs.conf. The sourcetype etc to use when gathering the script's output into Splunk are also set in this file, so it's a good idea to read the reference on it: $SPLUNK_HOME/etc/system/README/inputs.conf.{spec,example} or online: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

The results from your scripted input are handled as with any source of logs fed into Splunk. If there are timestamps in it, Splunk will use that. If not, Splunk will revert to other mechanisms to determine a timestamp, for instance using the time the event arrived to Splunk. For more information on how Splunk determines timestamps, check http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...