Splunk Search

How to run ps command via splunk web with build-in commond?

xiyangyang
Path Finder

We want to run linux command via splunk web to linux servers in which UF is installed. For example, top, ps.
I found there are some build-in scripts such like ps.sh in Splunk Add-on for Unix and Linux.
I wonder if there is any method to use theses build-in scripts to run custom search command via splunk web?
I know we can install Splunk add-on in linux UF and use [script:xxxx] stanza to check result of linux commands, however, we want to run command to get real-time result.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @xiyangyang,

You can check Forwarder toolbox - TA-forwarderquery App https://splunkbase.splunk.com/app/2775/, from here you can run REST command from your search head to indexer so using rest you can enable, disable script stanza (ref document http://docs.splunk.com/Documentation/Splunk/6.6.4/RESTREF/RESTinput#data.2Finputs.2Fscript).

If you don't want to use Forwarder toolbox - TA-forwarderquery App, another approach is create your own custom command in which you will pass hostname and enabled/disable parameter which will fire REST API to the forwarders which will enable and disable script stanza in inputs.conf

In both the cases you must have communication allowed on port 8089 from SH to UF and as far as I know if you want to run REST on UF from remote servers, on UF admin user's default password should be changed otherwise you can't fire REST on UF from remote server.

0 Karma

xiyangyang
Path Finder

So the questions will be :
what is the REST API to enable and disable script stanza in forwarder inputs.conf?

I am sorry, I am not very familiar with REST API.

0 Karma

nickhills
Ultra Champion

Installing a UF on your Linux servers will give you real time results. - This would be the recommended approach,

However if you really want to monitor a remote system 'from' your search head, technically you could write a script to login via ssh, run the command and output the results, and run this as a scripted input - it is however a horrible solution and wont scale.

If my comment helps, please give it a thumbs up!
0 Karma

xiyangyang
Path Finder

The ideal picture is :
1, users input search command towards the specific US in splunk web,
2.The script in UF will be enabled, and script is running.
3.After that, run search command in splunk web again to disable the script in UF.
No Login via SSH.

This is some customers reqeust, however, i doubt whether the splunk remote command can be run in Search head web toward UF.

0 Karma

nickhills
Ultra Champion

Hi - I added this post - If you find it useful, please upvote the answer, or add your own solution if you found another way!

https://answers.splunk.com/answers/606762/how-do-i-monitor-jbosstomcatapacheetc-and-raise-an.html

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...