Monitoring Splunk

Script for UF

splunk_luis12
Path Finder

Hi all, 

how can I set the Universal Forwarder to run a script every 5 minute with a cronjob

Info of the script should be showing up when searching from the Search Head

Thanks in advance,

Max.

Labels (1)
0 Karma
1 Solution

ashvinpandey
Contributor

@splunk_luis12 Try this:

[script://<cmd>]
interval = [<decimal>|<cron schedule>]

Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf

Also if this reply helped you in solving your problem an up-vote would be appreciated 👍

 

splunk_luis12
Path Finder

Hi ashvinpandey, 

I forgot to mention that it is for Linux (CLI)

how would you run the following script every 5 minutes? and in which directory should I include it the UF?

#!/bin/bash

function check processes (){
echo ""
echo "processes:"
top
echo ""
}
check_processes

 

I appreciate a lot your help!

 

Thanks,

Max.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Max,

Create a Splunk app and put the script in the bin folder of that app.  The app also should contain a default directory with inputs.conf and props.conf files in it.  The inputs.conf file tells Splunk how to run the script.

[script://full/path/to/the/script]
interval = */5 * * * *
index = foo
sourcetype = mysourcetype

The props.conf file tells Splunk how to parse the data produced by the script.

[mysourcetype]
TIME_PREFIX = <<some regular expression to help Splunk find the timestamp of each event>>
TIME_FORMAT = <<time format string that describes the timestamp>>
# How many characters follow TIME_PREFIX until the end of the tiemestamp
MAX_TIMESTAMP_LOOKAHEAD = 132
SHOULD_LINEMERGE = false
# Regular expression that describes the text between events.
# Must contain a capture group.  The group will be discarded.
LINE_BREAKER = ([\r\n]+)
# Set this to the maximum size of the events produced by the script
TRUNCATE = 10000
EVENT_BREAKER_ENABLE = true
# Set this value to the same as LINE_BREAKER
EVENT_BREAKER = ([\r\n]+)

Use the Deployment Server to install the app on the relevant forwarders.  If you have a small number of forwarders (fewer than 3) you can install the app manually.

Also install the app on the indexer(s).

Restart the forwarders and indexers after installing the app.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...