Splunk Dev

Universal Forwarder problem

Path Finder

Hello ,
I have a universal forwarder installed on an oracle server.
I configure this universal forwrader to monitor a script file (splunkhome \ bin \ script) that gives the enabled oracle services , but the problem that I receive the list of services activated after 20 munites that I activated or I disabled a service.
the goal is to create a real-time alert on the HS to notify that a service is currently enabled.

Any help please ?

Tags (1)
0 Karma
1 Solution


Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.


View solution in original post


Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.


Path Finder

Thank you Giuseppe for your response ,

I configured the script to writes in a file and i configure the file monitoring ,
how can i know the frequency of the script ?

0 Karma


Hi @aalaa,
if you scheduled it using Unix scheduler you have to use cron (e.g.: */5 * * * * means every 5 minutes).

If you used Splunk inputs, see at https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

interval = [<decimal>|<cron schedule>]
* How often, in seconds, to run the specified command, or a valid "cron"       schedule.
* If you specify the interval as a number, it may have a fractional       component; for example, 3.14
* To specify a cron schedule, use the following format:
  * "<minute> <hour> <day of month> <month> <day of week>"
  * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values.
* The cron implementation for data inputs does not currently support names of months or days.
* The special value 0 forces this scripted input to be run continuously.
  As soon as the script exits, the input restarts it.
* The special value -1 causes the scripted input to run once on start-up.
* NOTE: when you specify a cron schedule, the input does not run the script on start-up.
* Default: 60.0


0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...