Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Script for UF

splunk_luis12
Path Finder
‎12-31-2021 03:35 PM

Hi all, 

how can I set the Universal Forwarder to run a script every 5 minute with a cronjob

Info of the script should be showing up when searching from the Search Head

Thanks in advance,

Max.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution

ashvinpandey
Contributor
‎12-31-2021 10:47 PM

@splunk_luis12 Try this:

[script://<cmd>]
interval = [<decimal>|<cron schedule>]

Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf

Also if this reply helped you in solving your problem an up-vote would be appreciated 👍

 

Reply
Solved! Jump to solution

splunk_luis12
Path Finder
‎01-01-2022 09:05 AM

Hi ashvinpandey, 

I forgot to mention that it is for Linux (CLI)

how would you run the following script every 5 minutes? and in which directory should I include it the UF?

#!/bin/bash

function check processes (){
echo ""
echo "processes:"
top
echo ""
}
check_processes

 

I appreciate a lot your help!

 

Thanks,

Max.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2022 09:21 AM

Max,

Create a Splunk app and put the script in the bin folder of that app.  The app also should contain a default directory with inputs.conf and props.conf files in it.  The inputs.conf file tells Splunk how to run the script.

[script://full/path/to/the/script]
interval = */5 * * * *
index = foo
sourcetype = mysourcetype

The props.conf file tells Splunk how to parse the data produced by the script.

[mysourcetype]
TIME_PREFIX = <<some regular expression to help Splunk find the timestamp of each event>>
TIME_FORMAT = <<time format string that describes the timestamp>>
# How many characters follow TIME_PREFIX until the end of the tiemestamp
MAX_TIMESTAMP_LOOKAHEAD = 132
SHOULD_LINEMERGE = false
# Regular expression that describes the text between events.
# Must contain a capture group.  The group will be discarded.
LINE_BREAKER = ([\r\n]+)
# Set this to the maximum size of the events produced by the script
TRUNCATE = 10000
EVENT_BREAKER_ENABLE = true
# Set this value to the same as LINE_BREAKER
EVENT_BREAKER = ([\r\n]+)

Use the Deployment Server to install the app on the relevant forwarders.  If you have a small number of forwarders (fewer than 3) you can install the app manually.

Also install the app on the indexer(s).

Restart the forwarders and indexers after installing the app.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
Top