Re: How to run script on Universal Forwarder by Sp...

JuanAntunes · ‎10-01-2021

Hello Team!

I have a problem I need to solve, but I couldn't find a way to do it.

I have some servers that have Universal Forwarder installed and Windows services are being monitored through it. What happens is that sometimes some of these services are unavailable and there is a need to restart this service,

I would like to know if, somehow, as soon as Splunk identifies that one of these services is out, run a script on the local server that restarts that service

That is, I need to know if there is any way to run a script that is in the universal forwarder through Splunk Server

Thanks in advance!

somesoni2 · ‎10-01-2021

You should be able to run script from Universal forwarder via scripted inputs (can run at frequent interval to check the service status and run remediation steps). Only thing you'd need to take care is that Splunk universal forwarder should be running under an account which has sufficient permissions to run remedial steps.

JuanAntunes · ‎10-01-2021

@somesoni2 Thanks for your fast response!

I would need the trigger to be given by the Splunk server,

As if it were a "button" on the server that when clicked, runs the script on another server.

Because unfortunately I can't restart the service automatically, I need it to be alerted on a dashboard and then a person must perform this "click" to restart the service on the other server

somesoni2 · ‎10-01-2021

The "trigger" could be programmed into the script itself. Like checking a condition and if that condition is true, perform another command locally. Assuming the UF and windows service it's monitoring is on same server.

How to run script on Universal Forwarder by Splunk Server

administration

configuration

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms