Splunk Search

Enable FTP

Michael_Schyma1
Contributor

How do I enable FTP? (I know how to capture the logs after they are FTP'd to us)

We have devices that cannot have a universal forwarder installed on them. They only have FTP files. We need a way to FTP the files from these devices into our splunk server for processing.

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Splunk itself does not include an FTP server. You need a third-party product to provide this functionality for you.

View solution in original post

dpapenbro
New Member

The FTP Receiver app is lacking documentation on how to get this app running. Does anyone have any suggestions? I ran this
(index=_internal sourcetype=ftp_modular_input) OR (sourcetype=ftp) per the troubleshooting details and received nothing.

0 Karma

LukeMurphey
Champion

There is a README.txt file in the app that contains instructions.

Now that you have the app installed, you will need to create an input to start the FTP server:

  1. Navigate to "Settings » Data Inputs" at the menu at the top of Splunk's user interface.
  2. Click "FTP"
  3. Click "New" to make a new instance of an input

Make sure that the path that you are serving the files from exists.

See https://raw.githubusercontent.com/LukeMurphey/splunk-ftp-receiver/master/src/README.txt for the full details.

0 Karma

LukeMurphey
Champion

There now is an app that runs an FTP server so that you can accept files via FTP into Splunk directly. See the "FTP Receiver" app.

0 Karma

nicholasgrabows
Path Finder

There is a new splunkbase app called "importutil". It lets you import csv files (or any input) from an http url via the splunk search command line. Also works for ftp. sftp is experimental.

http://splunk-base.splunk.com/apps/69078/importutil

Here is an ftp example. Pulling from the bureau of labor stats:

|importutil ftp ftp://ftp.bls.gov/pub/time.series/ce/ce.data.102.WeeklyEarningsHist
| multikv
| table series_id, year, period, value, footnote_codes

Here is an example that imports data from the federal reserve economic data website:

|importutil http http://research.stlouisfed.org/fred2/data/PAYEMS.csv
| multikv
| table DATE, VALUE
0 Karma

Ayn
Legend

Splunk itself does not include an FTP server. You need a third-party product to provide this functionality for you.

Michael_Schyma1
Contributor

Thank you so much! This is just what I was looking for.

Ayn
Legend

The most common ftpd in Linux is simply the ftpd you get if you run 'apt-get install ftpd' on a debian/ubuntu box. There's nothing wrong with that one. There's also ProFTPD, PureFTPD, vsftpd, etc. What you might want is an FTPD that has its own user management so you don't have to mix users in the FTP server software with those in the underlying operating system. The default ftpd doesn't do this if I recall correctly, but the other ones I listed do.

Michael_Schyma1
Contributor

Server Platform: Linux
Server platform Version: RHEL5
Client OS: Windows xp or 7
Splunk Version: 4.3.3

0 Karma

Ayn
Legend

Which OS / version?

0 Karma

Michael_Schyma1
Contributor

What product would you suggest?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...