Splunk Search

How to get output from external commands run through Perl and use as scripted input

samaikins
New Member

Hi

Am trying to run a command through perl and the results used as scripted input which will be indexed by splunk.
However i dont get any output when i run the script through splunk.
i have tried the perl "system" module and "backticks" but none of it works.

The script works fine if i run it manually through the command line.

$myresults = `find $flags[0] -maxdepth 1 -type f -name $flags[1] -mmin $min_val -ls`;
print  $myresults

The script has been added to the input.conf.

Some help will be much appreciated

Thanks
Sam

Tags (1)
0 Karma

jmallorquin
Builder

Hi,

Use the bin folder to write a sh script with you perl command, then in the inputs.conf configure a stanza with the sh script.

Hope i help you.

0 Karma

samaikins
New Member

Hi
sorry i forgot to mention i have already done that.
regular print statement in the script works fine.its just the ones with commands that doesnt work

0 Karma

jmallorquin
Builder

Hi,

Can you show the inputs.conf conf and also have you check that the user of splunk have rights to execute the script?

0 Karma

samaikins
New Member

this is the input.conf and running this from the admin account

[script://$SPLUNK_HOME/etc/apps/dir_patrol/bin/dir_patrol.pl]
disabled = 0
interval = 60.0
sourcetype = dir_patrol

0 Karma

samaikins
New Member

hi
changing the input.conf didnt help.
just to clarify.
The actual script works.only this line below doesnt return any results
"$myresults = find $flags[0] -maxdepth 1 -type f -name $flags[1] -mmin $min_val -ls;"

0 Karma

jmallorquin
Builder

Ok,
So the problem is with perl... have you try to build the command before execute?

$command =  "find." ".$flags[0]." -maxdepth 1 -type f -name"." ".$flags[1]." -mmin ".$min_val." -ls";

printf($command);
system($command);

Hope i help you

0 Karma

samaikins
New Member

i tried your method ,i see no errors.However the command does not show any results.

0 Karma

jmallorquin
Builder

Hi,
review the _internal index to see if there is any error.

hope i help you

0 Karma

samaikins
New Member

Hi Jmallorquin,

i found out scripted input in splunk doesnt seem to work well with linux "find" with the "-ls" flag

find . -maxdepth 1 -type f -name "*.xml" -mmin 300 -ls

when i use the find command without "-ls" it get an output

0 Karma

samaikins
New Member
0 Karma

jmallorquin
Builder

Hi,

The problem is in the stanza

you have to use

[script://./bin/dir_patrol.pl]
disabled = 0
interval = 60
sourcetype = dir_patrol

Hope i help you

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!