Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correctly setup scripted (bash script) on forwarded input (UF) in HF via CLI or configuration?

hamidseleman
New Member
‎05-08-2018 01:34 AM

Hi,
I've been googling for weeks but to no avail on how to correctly setup scripted input on HF to massage input forwarded from UF.
Following is simple setup for inputs:

inputs.conf in UF
[monitor:///path-to-log/file.txt]
sourcetype = mysourcetype
index = myindex
crcSalt = <SOURCE>
disabled = false

inputs.conf in HF
[script://./bin/scripts/massager.sh]
sourcetype = mysourcetype
index = myindex
interval = 60.0
disabled = false

Sample setup or link highly appreciated.

Thanks.

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎05-08-2018 08:00 AM

hello there,

can you please elaborate?
what is it that you are trying to achieve?
you dont need any script on HF to send data that is coming from the UF, only configure inputs and outputs

0 Karma
Reply

hamidseleman
New Member
‎05-08-2018 04:46 PM

Hi,
I am trying to massage raw log sourced at UF by running script at HF before handing off data to Indexer. I dont want to run script at UF end. This is to free up UF from additional processing requirement.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-08-2018 06:36 PM

You’ll have to “massage” the data using props and transforms on the HF and possibly the UF.

See this article: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma
Reply

hamidseleman
New Member
‎05-09-2018 02:01 AM

Thanks but for some reason I need to work with scripts.

0 Karma
Reply

adonio
Ultra Champion
‎05-09-2018 07:09 AM

@hamidseleman
i am not sure what exactly you are trying to achieve and why would you have to work with scripts.
you can massage the raw data from the UF at the HF using props and transforms.

0 Karma
Reply

hamidseleman
New Member
‎05-09-2018 07:16 AM

Hi,
what i am trying to achieve mostly is already stated exactly in the question itself. Anyway, thanks.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

We are thrilled to announce the winners of the Splunk Build-a-thon, our first-ever hackathon dedicated to ...

Why You Should Register for Splunk University at .conf25

Level up before .conf25 even begins Splunk University is back in Boston, September 6–8, and it’s your chance ...

Building Splunk proficiency is a marathon, not a sprint

Building Splunk skills is a lot like training for a marathon. It’s about consistent progress, celebrating ...
Top