Splunk Search

Scripted input - event not parsed

mikaellindstrom
New Member

Hi,
I'm having a problem with setting up my data stream for scripted input. I have the splunk universal forwarder setup on my node and it's working. I have a script that prints a JSON object (I also have script that generates key-value pair events and have the same problem with that) and I've setup the following configuration:

etc/system/local/inputs.conf

[script://$SPLUNK_HOME/bin/scripts/rdb_vm_status.sh]
interval=60
index=vecc
disabled=0
source=rdb_vm_status
sourcetype=rdb_vm_status

[host]$ cat props.conf
[rdb_vm_status]
KV_MODE = json
TIMESTAMP_FIELDS = tl_timestamp
SHOULD_LINEMERGE = false

Output from script:
[host]$ ./splunk cmd scripts/rdb_vm_status.sh
{ "tl_timestamp" : "2019-05-08 07:29:32", "VIP" : "10.145.14.180", "agent": [ { "IP": "10.145.14.179", "type": "Standby", "state": "UP", "db_state": "UP"},{ "IP": "10.145.14.178", "type": "Master", "state": "UP", "db_state": "UP"}, { "IP": "10.145.14.177", "type": "Standby", "state": "UP", "db_state": "UP"} ], "db_insync": "yes"}
[host]$

I can see the events in Splunk search (not the same event but an older one):

{ [-]
VIP: 10.145.14.180

agent: [ [+]
]

db_insync: No Master DB found
tl_timestamp: 2019-05-07 15:44:54

}
Show as raw text
Event Actions
Type

Field Value Actions
Selected

host
bl2ecmrdb1.vcc.t-mobile.lab
source
rdb_vm_status

Time

_time
2019-05-07T15:44:54.000-07:00

Default
index
vecc

linecount
1

sourcetype
rdb_vm_status

splunk_server
blvnnm03

I would expect to be able to see the event fields if I click on "All Fields" in left sidebar and have them available there.

So apart from inputs.conf and props.conf, is there any other configuration I need to do to setup this data ingestion?

Regards,
Mikael

0 Karma
Get Updates on the Splunk Community!

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...