!/bin/bash

Hello leujinlove,

As starting point the "oneshot" is not intent to be used/called from "inputs.conf". It's for ad-hoc data you want to load into Splunk, like you do when uploading a file using Web GUI.

In your example you mixed a script input with the "oneshot", I'll not discuss why you what to load splunkd.log using "oneshot" as I believe it's only an example right?! Anyway, from your example I'll split the options in two:

Using one-shot
Add to your crontab a line like that:
0 * * * * /opt/splunkforwarder/bin/splunk add oneshot /opt/splunkforwarder/var/log/splunk/splunkd.log -index main -sourcetype ScheduledIndexing -hostname localhost.localdomain -auth "admin:changeme"
It'll execute the oneshot command every hour and load all the content from the /opt/splunkforwarder/var/log/splunk/splunkd.log into the main index.

Using Script input
Do exactly what you did at the inputs.conf but change your script to:
#!/bin/bash
cat /opt/splunkforwarder/var/log/splunk/splunkd.log
What happens here is that a Script input will use the STD OUT from the actual script and load all the output into Splunk, using the index and sourcetype parameters you defined. Script inputs are more suitable for cases where, for example, you need to download something or perform some action not as simple as reading a file.

Now if you wish to have a script to perform actions and the end result of the action will be a file you want load... I would use crontab calling a script and at the end of the same script use the "oneshot" command. I have exactly this model working here as I need to scp some content from another server where I'm not allowed to run Splunk Forwarder.... after I scp the files to the local server and perform some sanity checks I call the /opt/splunkforwarder/bin/splunk add oneshot... command, all in a single script.

ps.: Don't forget you have the "Monitor" input as well, which is designed to watch files and directories and load only the deltas.

Hope it helps!

Cheers,
Mike