Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Shell Script to Check if Multiple Servers are ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shell Script to Check if Multiple Servers are Correctly Forwarding Data
Hi all,
I have a list of servers in a text file "servers.txt."
I am trying to create a shell script that will see if all of my servers are sending data to Splunk on a daily basis. I have some scripting knowledge and created a script to see if the server is up or down by simply pinging it. I want to take this one step further. I want to know when the Splunk Forwarder has stopped working or something along those lines.
Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it would be a lot easier to verify the completion of data being forwarded by searching 1.) the index the data is being forwarded to, and 2.) the _internal index to verify connection. Then, if you don't see data in 1, you can check 2 to make sure the connection is alive, and if 1 & 2 are blank, then you can investigate further.
Splunk is actually really great at doing this, so I would suggest avoiding a scripting language or shell scripts if possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand Splunk is great at doing this, but this does not scale to thousands of servers. I have a list of 250 servers currently and it will grow into the tens of thousands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could script a remote "splunk status"
$serverlist = get-content splunk80uf.list
foreach ($server in $serverlist)
{
$result = Invoke-WmiMethod -ComputerName $server -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c e:\app\SplunkUniversalForwarder\bin\splunk.exe status >E:\app\status80uf.log"
if ($result.ReturnValue -ne 0)
{
##$exception = New-Object System.ComponentModel.Win32Exception([int]$result.ReturnValue)
##Write-Error "Error launching installer on computer ${server}: $($exception.Message)"
echo Crap
}
}
sleep 5
foreach ($server in $serverlist)
{
write-host "$server`t" -nonewline
Get-content \\$server\e$\app\status80uf.log
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On Unix/Linux you could take a similar approach if you setup ssh keys.
ssh user1@server1 command1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not working for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What kind of errors or messages do you get?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
