Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Why am I unable to execute script file to collect data using 'add oneshot' command.

leujinlove
Explorer

I have difficulty making a right script to collect data not in real time but on schedule.

first, I made 'inputs.conf' as below.

[root@localhost local]# cat /opt/splunkforwarder/etc/apps/search/local/inputs.conf
[script://./bin/scripts/daily_file.sh /opt/splunkforwarder/var/log/splunk/splunkd.log]
disabled = true
index = main
surce = /opt/splunkforwarder/var/log/splunk/splunkd.log
sourcetype = ScheduledIndexing

interval = 60

then, I made a shell script.

[root@localhost local]# cat /opt/splunkforwarder/bin/scripts/daily_file.sh

!/bin/bash

/opt/splunkforwarder/bin/splunk add oneshot $1 -auth admin:changeme

However, when I execute the script, it doesn't work well.

[root@localhost splunkforwarder]# ./bin/scripts/daily_file.sh

In handler 'oneshotinput': Cannot perform action "POST" without a target name to act on.

Could you tell me the reason and how to fix it.

Best Regards.

1 Solution

musskopf
Builder

Hello leujinlove,

As starting point the "oneshot" is not intent to be used/called from "inputs.conf". It's for ad-hoc data you want to load into Splunk, like you do when uploading a file using Web GUI.

In your example you mixed a script input with the "oneshot", I'll not discuss why you what to load splunkd.log using "oneshot" as I believe it's only an example right?! Anyway, from your example I'll split the options in two:

Using one-shot
Add to your crontab a line like that:
0 * * * * /opt/splunkforwarder/bin/splunk add oneshot /opt/splunkforwarder/var/log/splunk/splunkd.log -index main -sourcetype ScheduledIndexing -hostname localhost.localdomain -auth "admin:changeme"
It'll execute the oneshot command every hour and load all the content from the /opt/splunkforwarder/var/log/splunk/splunkd.log into the main index.

Using Script input
Do exactly what you did at the inputs.conf but change your script to:
#!/bin/bash
cat /opt/splunkforwarder/var/log/splunk/splunkd.log

What happens here is that a Script input will use the STD OUT from the actual script and load all the output into Splunk, using the index and sourcetype parameters you defined. Script inputs are more suitable for cases where, for example, you need to download something or perform some action not as simple as reading a file.

Now if you wish to have a script to perform actions and the end result of the action will be a file you want load... I would use crontab calling a script and at the end of the same script use the "oneshot" command. I have exactly this model working here as I need to scp some content from another server where I'm not allowed to run Splunk Forwarder.... after I scp the files to the local server and perform some sanity checks I call the /opt/splunkforwarder/bin/splunk add oneshot... command, all in a single script.

ps.: Don't forget you have the "Monitor" input as well, which is designed to watch files and directories and load only the deltas.

Hope it helps!

Cheers,
Mike

View solution in original post

vince2010091
Path Finder

surce = /opt/splunkforwarder/var/log/splunk/splunkd.log is not valid: surce -> source

musskopf
Builder

Hello leujinlove,

As starting point the "oneshot" is not intent to be used/called from "inputs.conf". It's for ad-hoc data you want to load into Splunk, like you do when uploading a file using Web GUI.

In your example you mixed a script input with the "oneshot", I'll not discuss why you what to load splunkd.log using "oneshot" as I believe it's only an example right?! Anyway, from your example I'll split the options in two:

Using one-shot
Add to your crontab a line like that:
0 * * * * /opt/splunkforwarder/bin/splunk add oneshot /opt/splunkforwarder/var/log/splunk/splunkd.log -index main -sourcetype ScheduledIndexing -hostname localhost.localdomain -auth "admin:changeme"
It'll execute the oneshot command every hour and load all the content from the /opt/splunkforwarder/var/log/splunk/splunkd.log into the main index.

Using Script input
Do exactly what you did at the inputs.conf but change your script to:
#!/bin/bash
cat /opt/splunkforwarder/var/log/splunk/splunkd.log

What happens here is that a Script input will use the STD OUT from the actual script and load all the output into Splunk, using the index and sourcetype parameters you defined. Script inputs are more suitable for cases where, for example, you need to download something or perform some action not as simple as reading a file.

Now if you wish to have a script to perform actions and the end result of the action will be a file you want load... I would use crontab calling a script and at the end of the same script use the "oneshot" command. I have exactly this model working here as I need to scp some content from another server where I'm not allowed to run Splunk Forwarder.... after I scp the files to the local server and perform some sanity checks I call the /opt/splunkforwarder/bin/splunk add oneshot... command, all in a single script.

ps.: Don't forget you have the "Monitor" input as well, which is designed to watch files and directories and load only the deltas.

Hope it helps!

Cheers,
Mike

View solution in original post

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!