Hi, I have just tried adding my first scripted input to splunk (a forwarder), but I am not getting the output in my splunk index.
The script (/var/lib/someapp/process.sh):
#!/bin/sh
TIMESTAMP=`date "+%Y-%m-%d %T"`
CPU=`ps aux | grep someproc | grep -v grep | aws '{print $3 }'`
PROCS=`ps ax | grep someproc | grep -v grep | wc -l`
echo -e "$TIMESTAMP\tCPU=$CPU\tNumProcs=$PROCS"
The script is executable for all users (I can run the script as the splunk user and get the expected output). Here's inputs.conf (in $SPLUNK_HOME/etc/system/local/):
[script:///var/lib/someapp/process.sh]
disabled = 0
interval = 60
index = someIndex
sourcetype = txt
My understanding is that the script should then be executed every 60 seconds? When monitoring the splunkd.log, I don't see the script being run (however I see scripts from another installed app running). Also, I'm not getting anything in my search (running an RT search to monitor results).
Am I doing something wrong here?
You need to put the script into a /app/bin/ folder, is a requirement. Splunk will only execute scripts from bin folders. From docs:
* The <cmd> must reside in one of
* $SPLUNK_HOME/etc/system/bin/
* $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/
* $SPLUNK_HOME/bin/scripts/
Link:
http://docs.splunk.com/Documentation/Splunk/6.0/admin/inputsconf
Regards
You need to put the script into a /app/bin/ folder, is a requirement. Splunk will only execute scripts from bin folders. From docs:
* The <cmd> must reside in one of
* $SPLUNK_HOME/etc/system/bin/
* $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/
* $SPLUNK_HOME/bin/scripts/
Link:
http://docs.splunk.com/Documentation/Splunk/6.0/admin/inputsconf
Regards
thanks, I missed that, was referencing this doc for setup: http://docs.splunk.com/Documentation/Splunk/6.0/Data/Setupcustominputs - this doesn't have any mention of directory requirements.
I moved the script to /opt/splunkforwarder/etc/system/bin and added the 'source' parameter to the input, and it started working.