Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk is not Indexing Scripted Input Data

rsantoso_splunk
Splunk Employee
Splunk Employee
‎06-16-2019 09:13 PM

Splunk is not indexing the data through the Scripted input.

The input is working for the on-premise servers, the data input is through a universal forwarder. The same setup being configured, however, it is not working for the new host.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rsantoso_splunk
Splunk Employee
Splunk Employee
‎06-16-2019 09:14 PM

1.) To list the non-internal indexes and non-internal indexes

a. To list of all non-internal indexes:
| eventcount summarize=false index=* | dedup index | fields index

b. To list of all sourcetype within the non-internal indexes:
| tstats count where index=* by index, sourcetype

2.) inputs.conf

a. The configuration for scripts needs to be in formatted with script rather than monitor
b. The script need to be located at the $SPLUNK_HOME/bin/scripts
Example:
[script:///opt/splunkforwarder/bin/scripts/client-stats.sh]

3.) The scripts need the environment setup and the jar file to run.
Copy the setup env file and the jar file to the $SPLUNK_HOME/bin/scripts.
Change the permission and ownership of the file accordingly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rsantoso_splunk
Splunk Employee
Splunk Employee
‎06-16-2019 09:14 PM

1.) To list the non-internal indexes and non-internal indexes

a. To list of all non-internal indexes:
| eventcount summarize=false index=* | dedup index | fields index

b. To list of all sourcetype within the non-internal indexes:
| tstats count where index=* by index, sourcetype

2.) inputs.conf

a. The configuration for scripts needs to be in formatted with script rather than monitor
b. The script need to be located at the $SPLUNK_HOME/bin/scripts
Example:
[script:///opt/splunkforwarder/bin/scripts/client-stats.sh]

3.) The scripts need the environment setup and the jar file to run.
Copy the setup env file and the jar file to the $SPLUNK_HOME/bin/scripts.
Change the permission and ownership of the file accordingly.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...