All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are best practices for referencing a scripted input from another app?

sloshburch
Splunk Employee
Splunk Employee
‎01-17-2019 02:20 PM

I want to be able to reference input scripts in one app from another app. How can I do that when the script is defined using relative paths?

For example, I have the Splunk Add-on for Unix and Linux, and I want to leverage CPU statistics gathered by the input script cpu.sh in the app "Jane's App for Using UNIX Data to End World Hunger".

When I invoke cpu.sh from the Splunk Add-on for Unix and Linux, the inputs.conf stanza header is defined as script://./bin/cpu.sh. How do I invoke the cpu.sh input script from "Jane's App for Using Unix Data to End World Hunger" given that the UNIX notation for shifting up a directory ( ..) is not available with Splunk scripted inputs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎01-17-2019 02:21 PM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Scripted inputs are often defined using relative paths. When a script is located in an app's bin directory, you can define the scripted input stanza header in inputs.conf as script://./bin/cpu.sh. If you want to leverage that same input script in another app, you have to find a different way to reference the script from the context of the other app.

Before we jump into some options, review some of the principles behind where to place the scripts for scripted inputs in the Splunk Enterprise Getting Data In manual and the inputs.conf spec file, specifically the scripted input section.

Use the $SPLUNK_HOME variable

In the Splunk Add-on for Unix and Linux, the stanza header for the cpu.sh script in inputs.conf is

[script://./bin/cpu.sh]

To refer to this from outside the Splunk Add-on for Unix and Linux app (literally named Splunk_TA_nix on the filesystem), you can use the $SPLUNK_HOME variable that exists in Splunk's runtime environment:

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/cpu.sh]

While they look different, those two paths calculate to the same fully qualified path, and thus use the same script! The $SPLUNK_HOME variable means this works both on a Universal Forwarder and a full Splunk Enterprise.

Downsides

Due to changes in the way Splunk processes scripted inputs, the above approach is no longer encouraged. Functionally, it works. But administratively, your new input stanza, script://$SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/cpu.sh will not be merged with the configuration of the original input stanza, script://./bin/cpu.sh. Therefore, your new stanza must also include the other settings like interval, source, and sourcetype.

Stronger approaches are recommended in the post What are best practices for deploying an add-on with slightly different configurations?. Nonetheless, this post is still valid at answering the specific question of referencing scripted inputs in other apps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎01-17-2019 02:21 PM

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

Scripted inputs are often defined using relative paths. When a script is located in an app's bin directory, you can define the scripted input stanza header in inputs.conf as script://./bin/cpu.sh. If you want to leverage that same input script in another app, you have to find a different way to reference the script from the context of the other app.

Before we jump into some options, review some of the principles behind where to place the scripts for scripted inputs in the Splunk Enterprise Getting Data In manual and the inputs.conf spec file, specifically the scripted input section.

Use the $SPLUNK_HOME variable

In the Splunk Add-on for Unix and Linux, the stanza header for the cpu.sh script in inputs.conf is

[script://./bin/cpu.sh]

To refer to this from outside the Splunk Add-on for Unix and Linux app (literally named Splunk_TA_nix on the filesystem), you can use the $SPLUNK_HOME variable that exists in Splunk's runtime environment:

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/cpu.sh]

While they look different, those two paths calculate to the same fully qualified path, and thus use the same script! The $SPLUNK_HOME variable means this works both on a Universal Forwarder and a full Splunk Enterprise.

Downsides

Due to changes in the way Splunk processes scripted inputs, the above approach is no longer encouraged. Functionally, it works. But administratively, your new input stanza, script://$SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/cpu.sh will not be merged with the configuration of the original input stanza, script://./bin/cpu.sh. Therefore, your new stanza must also include the other settings like interval, source, and sourcetype.

Stronger approaches are recommended in the post What are best practices for deploying an add-on with slightly different configurations?. Nonetheless, this post is still valid at answering the specific question of referencing scripted inputs in other apps.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎09-23-2019 12:08 PM

Updated to reflect the practical downsides of this approach.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...