Splunk Search

How to get output from external commands run through Perl and use as scripted input

samaikins
New Member

Hi

Am trying to run a command through perl and the results used as scripted input which will be indexed by splunk.
However i dont get any output when i run the script through splunk.
i have tried the perl "system" module and "backticks" but none of it works.

The script works fine if i run it manually through the command line.

$myresults = `find $flags[0] -maxdepth 1 -type f -name $flags[1] -mmin $min_val -ls`;
print  $myresults

The script has been added to the input.conf.

Some help will be much appreciated

Thanks
Sam

Tags (1)
0 Karma

jmallorquin
Builder

Hi,

Use the bin folder to write a sh script with you perl command, then in the inputs.conf configure a stanza with the sh script.

Hope i help you.

0 Karma

samaikins
New Member

Hi
sorry i forgot to mention i have already done that.
regular print statement in the script works fine.its just the ones with commands that doesnt work

0 Karma

jmallorquin
Builder

Hi,

Can you show the inputs.conf conf and also have you check that the user of splunk have rights to execute the script?

0 Karma

samaikins
New Member

this is the input.conf and running this from the admin account

[script://$SPLUNK_HOME/etc/apps/dir_patrol/bin/dir_patrol.pl]
disabled = 0
interval = 60.0
sourcetype = dir_patrol

0 Karma

samaikins
New Member

hi
changing the input.conf didnt help.
just to clarify.
The actual script works.only this line below doesnt return any results
"$myresults = find $flags[0] -maxdepth 1 -type f -name $flags[1] -mmin $min_val -ls;"

0 Karma

jmallorquin
Builder

Ok,
So the problem is with perl... have you try to build the command before execute?

$command =  "find." ".$flags[0]." -maxdepth 1 -type f -name"." ".$flags[1]." -mmin ".$min_val." -ls";

printf($command);
system($command);

Hope i help you

0 Karma

samaikins
New Member

i tried your method ,i see no errors.However the command does not show any results.

0 Karma

jmallorquin
Builder

Hi,
review the _internal index to see if there is any error.

hope i help you

0 Karma

samaikins
New Member

Hi Jmallorquin,

i found out scripted input in splunk doesnt seem to work well with linux "find" with the "-ls" flag

find . -maxdepth 1 -type f -name "*.xml" -mmin 300 -ls

when i use the find command without "-ls" it get an output

0 Karma

samaikins
New Member
0 Karma

jmallorquin
Builder

Hi,

The problem is in the stanza

you have to use

[script://./bin/dir_patrol.pl]
disabled = 0
interval = 60
sourcetype = dir_patrol

Hope i help you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...