Developing for Splunk Enterprise

Universal Forwarder problem

aalaa
Path Finder

Hello ,
I have a universal forwarder installed on an oracle server.
I configure this universal forwrader to monitor a script file (splunkhome \ bin \ script) that gives the enabled oracle services , but the problem that I receive the list of services activated after 20 munites that I activated or I disabled a service.
the goal is to create a real-time alert on the HS to notify that a service is currently enabled.

Any help please ?

Tags (1)
0 Karma
1 Solution

gcusello
Legend

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

View solution in original post

gcusello
Legend

Hi @aalaa,

do you configured a scripted input or a file monitoring? in other words: do you have a script scheduled on Unix that writes results in a file and then Splunk read the file or do you manage the script execution in Splunk (scripted input)?

Anyway in both cases the question is: what's the frequency of execution of the script?

If you're using a scripted input, the results are immediately forwarderd to Indexers, so the delay is the frequency of schedulation.

if the script writes results in a file, Splunk reads it with a delay of up to thirty seconds, so the delay is still the frequency of schedulation.

Ciao.
Giuseppe

View solution in original post

aalaa
Path Finder

Thank you Giuseppe for your response ,

I configured the script to writes in a file and i configure the file monitoring ,
how can i know the frequency of the script ?

0 Karma

gcusello
Legend

Hi @aalaa,
if you scheduled it using Unix scheduler you have to use cron (e.g.: */5 * * * * means every 5 minutes).

If you used Splunk inputs, see at https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

interval = [<decimal>|<cron schedule>]
* How often, in seconds, to run the specified command, or a valid "cron"       schedule.
* If you specify the interval as a number, it may have a fractional       component; for example, 3.14
* To specify a cron schedule, use the following format:
  * "<minute> <hour> <day of month> <month> <day of week>"
  * Cron special characters are acceptable. You can use combinations of "*", ",", "/", and "-" to specify wildcards, separate values, specify ranges of values, and step values.
* The cron implementation for data inputs does not currently support names of months or days.
* The special value 0 forces this scripted input to be run continuously.
  As soon as the script exits, the input restarts it.
* The special value -1 causes the scripted input to run once on start-up.
* NOTE: when you specify a cron schedule, the input does not run the script on start-up.
* Default: 60.0

Ciao.
Giuseppe

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!