Splunk Search

Scripted input - event not parsed

mikaellindstrom
New Member

Hi,
I'm having a problem with setting up my data stream for scripted input. I have the splunk universal forwarder setup on my node and it's working. I have a script that prints a JSON object (I also have script that generates key-value pair events and have the same problem with that) and I've setup the following configuration:

etc/system/local/inputs.conf

[script://$SPLUNK_HOME/bin/scripts/rdb_vm_status.sh]
interval=60
index=vecc
disabled=0
source=rdb_vm_status
sourcetype=rdb_vm_status

[host]$ cat props.conf
[rdb_vm_status]
KV_MODE = json
TIMESTAMP_FIELDS = tl_timestamp
SHOULD_LINEMERGE = false

Output from script:
[host]$ ./splunk cmd scripts/rdb_vm_status.sh
{ "tl_timestamp" : "2019-05-08 07:29:32", "VIP" : "10.145.14.180", "agent": [ { "IP": "10.145.14.179", "type": "Standby", "state": "UP", "db_state": "UP"},{ "IP": "10.145.14.178", "type": "Master", "state": "UP", "db_state": "UP"}, { "IP": "10.145.14.177", "type": "Standby", "state": "UP", "db_state": "UP"} ], "db_insync": "yes"}
[host]$

I can see the events in Splunk search (not the same event but an older one):

{ [-]
VIP: 10.145.14.180

agent: [ [+]
]

db_insync: No Master DB found
tl_timestamp: 2019-05-07 15:44:54

}
Show as raw text
Event Actions
Type

Field Value Actions
Selected

host
bl2ecmrdb1.vcc.t-mobile.lab
source
rdb_vm_status

Time

_time
2019-05-07T15:44:54.000-07:00

Default
index
vecc

linecount
1

sourcetype
rdb_vm_status

splunk_server
blvnnm03

I would expect to be able to see the event fields if I click on "All Fields" in left sidebar and have them available there.

So apart from inputs.conf and props.conf, is there any other configuration I need to do to setup this data ingestion?

Regards,
Mikael

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...