Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to run script on Universal Forwarder by Splunk Server

JuanAntunes
Explorer
‎10-01-2021 08:26 AM

Hello Team!

I have a problem I need to solve, but I couldn't find a way to do it.

I have some servers that have Universal Forwarder installed and Windows services are being monitored through it. What happens is that sometimes some of these services are unavailable and there is a need to restart this service,

I would like to know if, somehow, as soon as Splunk identifies that one of these services is out, run a script on the local server that restarts that service

That is, I need to know if there is any way to run a script that is in the universal forwarder through Splunk Server

Thanks in advance!

Labels (2)
Labels
0 Karma
Reply

kvanka
Loves-to-Learn
‎02-03-2025 11:23 AM

Has anyone tried to use this process for upgrading the Splunk Universal forwarder? 

0 Karma
Reply

somesoni2
Revered Legend
‎10-01-2021 09:15 AM

You should be able to run script from Universal forwarder via scripted inputs (can run at frequent interval to check the service status and run remediation steps). Only thing you'd need to take care is that Splunk universal forwarder should be running under an account which has sufficient permissions to run remedial steps.

0 Karma
Reply

JuanAntunes
Explorer
‎10-01-2021 09:20 AM

@somesoni2 Thanks for your fast response! 

I would need the trigger to be given by the Splunk server,

As if it were a "button" on the server that when clicked, runs the script on another server.

Because unfortunately I can't restart the service automatically, I need it to be alerted on a dashboard and then a person must perform this "click" to restart the service on the other server

0 Karma
Reply

somesoni2
Revered Legend
‎10-01-2021 09:50 AM

The "trigger" could be programmed into the script itself. Like checking a condition and if that condition is true, perform another command locally. Assuming the UF and windows service it's monitoring is on same server.

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...