Hello! It's my first time writing here so forgive me if my question may lack information. What I want to do: I want to execute a batch file via scripted input and write the output of this script into a specific log. then I want to send this log to be indexed in another server. all of this should later on be deployed within an app to a universal forwarder which executes the script, writes the log and sends it to a specific server into a specific index. What I've done so far: I've created an app which as a script in /bin that is basically changing the passwd of the universal forwarder and creating a log in which it echos certain statements. the script itself looks like this: #!bin/sh
FILE=/opt/splunkforwarder/etc/passwd
if test -f "$FILE"; then
echo $(date) " $FILE existiert." >> /opt/splunkforwarder/etc/apps/myapp/logging/changepw.log
#mv /opt/splunkforwarder/etc/apps/myapp/local/inputs.conf /opt/splunkforwarder/etc/apps/myapp/local/inputs.conf.bak
mv /opt/splunkforwarder/etc/passwd /opt/splunkforwarder/etc/passwd.bak
echo $(date) " $FILE wurde umbenannt und wird neu erstellt.Inputs.conf wurde deaktiviert" >> /opt/splunkforwarder/etc/apps/myapp/logging/changepw.log
/opt/splunkforwarder/bin/splunk restart
else
echo $(date) " $FILE existiert nicht." >> /opt/splunkforwarder/etc/apps/myapp/logging/changepw.log
fi so as of now it should do the following: - check if there is a passwd - if yes, rename it to passwd.bak , renaming my inputs.conf to inputs.conf.bak (so it uses the inputs.conf in default which has a deactivated scripted input) and then restart splunk. after each previous step it writes a message into changepw.log the inputs.conf looks like this: [script://./bin/change.sh]
disabled = 0
interval= -1
[monitor:///opt/splunkforwarder/etc/apps/myapp/logging/*]
disabled = 0
index = main my outputs.conf looks like this: [tcpout]
defaultGroup = splunk_indexer
[tcpout-server://<ip>]
[tcpout:splunk_indexer]
disabled = false
server = <ip>:9997 what the problem is: when I start the script it does at it was told. changing the passwd and renaming it to passwd.bak and writing all echos into a changepw.log then restarting splunk. for whatever reason it doesn't seem to send anything to my server. I've already checked whether my forwarder is active. it is I can ping the server from the UF I've created a test.log in the same folder in which my changepw.log resides and filled it with some text. after a few moments it appeared on my server, indexed. splunk is starting with user splunk and has all the necessary rights to execute, read and write anything within /splunkforwarder did I leave somthing out? I feel like I'm standing right in front of a wall. hope someone can help! edit: I've noticed that, when I deactivate the script in my inputs.conf and comment out the mv inputs.conf inputs.conf.bak part and start the change.sh, then it works just fine and my server shows the log. why can that be? I assume that, when I mv the inputs.conf the script ends even tho it already started. can that be? if so, the final question would be how does the script need to look like in order to do the following: - check if there is a passwd, if so change it to passwd.bak , write everything in a log and restart splunk. after restarting splunk should not start the script again.
... View more