Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Script for UF

splunk_luis12
Path Finder
‎12-31-2021 03:35 PM

Hi all, 

how can I set the Universal Forwarder to run a script every 5 minute with a cronjob

Info of the script should be showing up when searching from the Search Head

Thanks in advance,

Max.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution

ashvinpandey
Contributor
‎12-31-2021 10:47 PM

@splunk_luis12 Try this:

[script://<cmd>]
interval = [<decimal>|<cron schedule>]

Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf

Also if this reply helped you in solving your problem an up-vote would be appreciated 👍

 

Reply
Solved! Jump to solution

splunk_luis12
Path Finder
‎01-01-2022 09:05 AM

Hi ashvinpandey, 

I forgot to mention that it is for Linux (CLI)

how would you run the following script every 5 minutes? and in which directory should I include it the UF?

#!/bin/bash

function check processes (){
echo ""
echo "processes:"
top
echo ""
}
check_processes

 

I appreciate a lot your help!

 

Thanks,

Max.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2022 09:21 AM

Max,

Create a Splunk app and put the script in the bin folder of that app.  The app also should contain a default directory with inputs.conf and props.conf files in it.  The inputs.conf file tells Splunk how to run the script.

[script://full/path/to/the/script]
interval = */5 * * * *
index = foo
sourcetype = mysourcetype

The props.conf file tells Splunk how to parse the data produced by the script.

[mysourcetype]
TIME_PREFIX = <<some regular expression to help Splunk find the timestamp of each event>>
TIME_FORMAT = <<time format string that describes the timestamp>>
# How many characters follow TIME_PREFIX until the end of the tiemestamp
MAX_TIMESTAMP_LOOKAHEAD = 132
SHOULD_LINEMERGE = false
# Regular expression that describes the text between events.
# Must contain a capture group.  The group will be discarded.
LINE_BREAKER = ([\r\n]+)
# Set this to the maximum size of the events produced by the script
TRUNCATE = 10000
EVENT_BREAKER_ENABLE = true
# Set this value to the same as LINE_BREAKER
EVENT_BREAKER = ([\r\n]+)

Use the Deployment Server to install the app on the relevant forwarders.  If you have a small number of forwarders (fewer than 3) you can install the app manually.

Also install the app on the indexer(s).

Restart the forwarders and indexers after installing the app.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...