Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Universal Forwarder problem

aalaa
Path Finder
‎11-25-2019 03:09 AM

Hello ,
I have a universal forwarder installed on an oracle server.
I configure this universal forwrader to monitor a script file (splunkhome \ bin \ script) that gives the enabled oracle services , but the problem that I receive the list of services activated after 20 munites that I activated or I disabled a service.
the goal is to create a real-time alert on the HS to notify that a service is currently enabled.

Any help please ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 03:56 AM

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 03:56 AM

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

Reply
Solved! Jump to solution

aalaa
Path Finder
‎11-25-2019 04:12 AM

Thank you Giuseppe for your response ,

I configured the script to writes in a file and i configure the file monitoring ,
how can i know the frequency of the script ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 05:37 AM

Hi @aalaa,
if you scheduled it using Unix scheduler you have to use cron (e.g.: */5 * * * * means every 5 minutes).

If you used Splunk inputs, see at https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

interval = [<decimal>|<cron schedule>]
* How often, in seconds, to run the specified command, or a valid "cron"       schedule.
* If you specify the interval as a number, it may have a fractional       component; for example, 3.14
* To specify a cron schedule, use the following format:
  * "<minute> <hour> <day of month> <month> <day of week>"
  * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values.
* The cron implementation for data inputs does not currently support names of months or days.
* The special value 0 forces this scripted input to be run continuously.
  As soon as the script exits, the input restarts it.
* The special value -1 causes the scripted input to run once on start-up.
* NOTE: when you specify a cron schedule, the input does not run the script on start-up.
* Default: 60.0

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...