Solved: where does splunk store output of shell scripts?

batemanj · ‎11-16-2019

Hi,

On Splunk forwarders, we have few shell scripts in "SPLUNK_HOME/etc/apps/my_app/bin/" that are being run. Just wondering where do the outputs of these shell scripts store? Shell scripts don't have the output filename in them so I tried to look into "SPLUNK_HOME/var/log/splunk" but no luck. Are these outputs store in "*.dat" file which we can't read?

Thanks

woodcock · ‎11-16-2019

If you are running scripted inputs, then Splunk will index the output that it sees hitting stdout. This means that you can pipe the output of your scripts to other things and Splunk will only index the final text that hits stdout. Any other output that goes anywhere else will be ignored by Splunk, unless of course you are writing it to file and have a different [monitor://...] stanza looking for it, which would be strange.

View solution in original post

woodcock · ‎11-16-2019

If you are running scripted inputs, then Splunk will index the output that it sees hitting stdout. This means that you can pipe the output of your scripts to other things and Splunk will only index the final text that hits stdout. Any other output that goes anywhere else will be ignored by Splunk, unless of course you are writing it to file and have a different [monitor://...] stanza looking for it, which would be strange.

burwell · ‎11-16-2019

So you are doing scripted input? Splunk runs the script on the interval you specify and then indexes the output. I don't think there's an intermediate location.

where does splunk store output of shell scripts?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio