Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run ps command via splunk web with build-in commond?

xiyangyang
Path Finder
‎12-21-2017 12:11 AM

We want to run linux command via splunk web to linux servers in which UF is installed. For example, top, ps.
I found there are some build-in scripts such like ps.sh in Splunk Add-on for Unix and Linux.
I wonder if there is any method to use theses build-in scripts to run custom search command via splunk web?
I know we can install Splunk add-on in linux UF and use [script:xxxx] stanza to check result of linux commands, however, we want to run command to get real-time result.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-21-2017 07:18 PM

Hi @xiyangyang,

You can check Forwarder toolbox - TA-forwarderquery App https://splunkbase.splunk.com/app/2775/, from here you can run REST command from your search head to indexer so using rest you can enable, disable script stanza (ref document http://docs.splunk.com/Documentation/Splunk/6.6.4/RESTREF/RESTinput#data.2Finputs.2Fscript).

If you don't want to use Forwarder toolbox - TA-forwarderquery App, another approach is create your own custom command in which you will pass hostname and enabled/disable parameter which will fire REST API to the forwarders which will enable and disable script stanza in inputs.conf

In both the cases you must have communication allowed on port 8089 from SH to UF and as far as I know if you want to run REST on UF from remote servers, on UF admin user's default password should be changed otherwise you can't fire REST on UF from remote server.

0 Karma
Reply

xiyangyang
Path Finder
‎12-25-2017 11:08 PM

So the questions will be :
what is the REST API to enable and disable script stanza in forwarder inputs.conf?

I am sorry, I am not very familiar with REST API.

0 Karma
Reply

nickhills
Ultra Champion
‎12-21-2017 01:04 AM

Installing a UF on your Linux servers will give you real time results. - This would be the recommended approach,

However if you really want to monitor a remote system 'from' your search head, technically you could write a script to login via ssh, run the command and output the results, and run this as a scripted input - it is however a horrible solution and wont scale.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

xiyangyang
Path Finder
‎12-21-2017 04:39 PM

The ideal picture is :
1, users input search command towards the specific US in splunk web,
2.The script in UF will be enabled, and script is running.
3.After that, run search command in splunk web again to disable the script in UF.
No Login via SSH.

This is some customers reqeust, however, i doubt whether the splunk remote command can be run in Search head web toward UF.

0 Karma
Reply

nickhills
Ultra Champion
‎12-28-2017 01:58 PM

Hi - I added this post - If you find it useful, please upvote the answer, or add your own solution if you found another way!

https://answers.splunk.com/answers/606762/how-do-i-monitor-jbosstomcatapacheetc-and-raise-an.html

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...