Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Script for UF

splunk_luis12
Path Finder
‎12-31-2021 03:35 PM

Hi all, 

how can I set the Universal Forwarder to run a script every 5 minute with a cronjob

Info of the script should be showing up when searching from the Search Head

Thanks in advance,

Max.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution

ashvinpandey
Contributor
‎12-31-2021 10:47 PM

@splunk_luis12 Try this:

[script://<cmd>]
interval = [<decimal>|<cron schedule>]

Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Inputsconf

Also if this reply helped you in solving your problem an up-vote would be appreciated 👍

 

Reply
Solved! Jump to solution

splunk_luis12
Path Finder
‎01-01-2022 09:05 AM

Hi ashvinpandey, 

I forgot to mention that it is for Linux (CLI)

how would you run the following script every 5 minutes? and in which directory should I include it the UF?

#!/bin/bash

function check processes (){
echo ""
echo "processes:"
top
echo ""
}
check_processes

 

I appreciate a lot your help!

 

Thanks,

Max.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-01-2022 09:21 AM

Max,

Create a Splunk app and put the script in the bin folder of that app.  The app also should contain a default directory with inputs.conf and props.conf files in it.  The inputs.conf file tells Splunk how to run the script.

[script://full/path/to/the/script]
interval = */5 * * * *
index = foo
sourcetype = mysourcetype

The props.conf file tells Splunk how to parse the data produced by the script.

[mysourcetype]
TIME_PREFIX = <<some regular expression to help Splunk find the timestamp of each event>>
TIME_FORMAT = <<time format string that describes the timestamp>>
# How many characters follow TIME_PREFIX until the end of the tiemestamp
MAX_TIMESTAMP_LOOKAHEAD = 132
SHOULD_LINEMERGE = false
# Regular expression that describes the text between events.
# Must contain a capture group.  The group will be discarded.
LINE_BREAKER = ([\r\n]+)
# Set this to the maximum size of the events produced by the script
TRUNCATE = 10000
EVENT_BREAKER_ENABLE = true
# Set this value to the same as LINE_BREAKER
EVENT_BREAKER = ([\r\n]+)

Use the Deployment Server to install the app on the relevant forwarders.  If you have a small number of forwarders (fewer than 3) you can install the app manually.

Also install the app on the indexer(s).

Restart the forwarders and indexers after installing the app.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...