Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- splunk add oneshot completion status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk add oneshot completion status
Hello,
We are using the splunk add oneshot feature to index some files that we are not indexed all the time. (This is being done from a splunk universal forwarder 4.3.4)
Is there any way to know the completion of indexing after running oneshot on multiple files?
I would like to be notified in some way that all my oneshot files are indexed so that I can start searching.
Thanks,
Etienne
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe this would be something you would have to build into a script at the end of your script you could have it send an SMPT email or out put some text.
You could create saved search looking at the _internal index for oneshot completions or the text output from your script. Then have the search kick of an alert or email. a
Below are some examples which could solve your problem.
Additional info:
On your forwarer edit you inputs.conf
#windows
[script://.daily_file.bat c:\somedir\somelog.log]
disabled = true
index = main
source = c:\somedir\somelog.log
sourcetype = ras
interval = 0 0 * * *
#*nix
[script://./bin/daily_file.sh /somedir/somelog.log]
disabled = true
index = main
source = /somedir/somelog.log
sourcetype = ras
interval = 0 0 * * *
Option 1
#*nix
#!/bin/bash
$to=' -to somedue@@somecompany.net'
$f=' -f Blat@@splunk.net'
$msg='"Tim it is @time on @date"'
$server=' -server localhost'
echo "start OneShot"
$SPLUNK_HOME/bin/splunk add oneshot $1 -auth admin:changeme
./blat - $to $f -subject $msg -body $msg $server -q
echo "Oneshot Complete"
done
#windows
set eMail=somedude@somecompany.net
set subj=-s "Test Blat"
set server=-server localhost
set x=-x "X-Header-Test: Can Blat do it? Yes it Can!"
set debug=-debug -log blat.log -timestamp
echo start OneShot Load
%splunk%\splunk add oneshot %1 -auth admin:changeme
echo completed OneShot Load
blat %0 -to %eMail% -f %eMail% %subj% %server% %debug% %x%
Option 2
This will read the output from cat or type which would normally be displayed on your CMD prompt.
#*nix
#!/bin/bash
$to=' -to somedue@@somecompany.net'
$f=' -f Blat@@splunk.net'
$msg='"Tim it is @time on @date"'
$server=' -server localhost'
echo "start OneShot"
cat $1
./blat - $to $f -subject $msg -body $msg $server -q
echo "Oneshot Complete"
done
#windows
set eMail=somedude@somecompany.net
set subj=-s "Test Blat"
set server=-server localhost
set x=-x "X-Header-Test: Can Blat do it? Yes it Can!"
set debug=-debug -log blat.log -timestamp
echo start OneShot Load
type %1
echo completed OneShot Load
blat %0 -to %eMail% -f %eMail% %subj% %server% %debug% %x%
Hope this helps you.
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
