Hi,
We need to ingest standard output that generated from script from one of the host and ingest that information to splunk ?
Scripts located at below location:
/logs/ibm/mqm/qmgrs.ksh
.
If we give below stanza to my inputs.conf will it gather information:
[script://./logs/ibm/mqm/qmgrs.ksh]
interval =500
sourcetype = qmgrs
source = mqm
index = mqm
disabled = 0
KIndly help us.
Thanks.
Refer to http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/AdvancedDev/ScriptSetup
Your above configuration should work except the script path. If you give relative path, splunk considers it's from apps/bin/ directory .
Also based on the nature of output, you might need to parse the data
Thanks Renjith.
Do I need to keep this script in my apps/bin .
If so , I will create new deployment app and directory bin and move this script here.
etc/deployment-apps/<mkdir> -p mqm/local/bin
will also change inputs stanza:
[script://./bin/qmgrs.ksh]
interval =500
sourcetype = qmgrs
source = mqm
index = mqm
disabled = 0
For Parsing, my script generates outputs like this.
2012-05-20T05:19:24 HOSTNAME=icon.mq.com MQVERSION=8.0.0.5 QMGR=q MQERROR=AMQ5540 MQERRORMSG=" Application 'WebSphere MQ Client for Java' did not supply a user ID and password EXPLANATION: The queue manager is configured to require a user ID and password, but none was supplied. ACTION: Ensure that the application provides a valid user ID and password, or change the queue manager configuration to OPTIONAL to allow applications to connect which have not supplied a user ID and password."
props.conf below will solve my purpose
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\[^A-Za-Z]\d{2}:\d{2}:\d{2}
Will above solve my purpose, sorry for bothering.
Thanks
You need to place the script in bin only if you configure by relative path, otherwise you can configure the full path. But if you are able to do it with an app, that's perfect. Just make sure that the script is apps/your app name/bin/
Please test your configuration once
Hi,
Although we kept scipr in /etc/app/appname/bin/script.ksh it is not some how it is not executing, is there any thing we need to cheeck
[script://./bin/script.ksh]
disabled = false
index = dev_scr
sourcetype=dev_stats
interval = 1800
splunkd.log should give some hint about the problem,