Monitoring Splunk

How can we monitor scripts and ingest standard output data to splunk

splunker9999
Path Finder

Hi,

We need to ingest standard output that generated from script from one of the host and ingest that information to splunk ?

Scripts located at below location:
/logs/ibm/mqm/qmgrs.ksh.

If we give below stanza to my inputs.conf will it gather information:

[script://./logs/ibm/mqm/qmgrs.ksh]
interval =500
sourcetype = qmgrs
source = mqm
index = mqm
disabled = 0

KIndly help us.

Thanks.

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Refer to http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/AdvancedDev/ScriptSetup

Your above configuration should work except the script path. If you give relative path, splunk considers it's from apps/bin/ directory .

Also based on the nature of output, you might need to parse the data

Happy Splunking!
0 Karma

splunker9999
Path Finder

Thanks Renjith.

Do I need to keep this script in my apps/bin .

If so , I will create new deployment app and directory bin and move this script here.

etc/deployment-apps/<mkdir> -p mqm/local/bin

will also change inputs stanza:

[script://./bin/qmgrs.ksh]
 interval =500
 sourcetype = qmgrs
 source = mqm
 index = mqm
 disabled = 0

For Parsing, my script generates outputs like this.

2012-05-20T05:19:24 HOSTNAME=icon.mq.com MQVERSION=8.0.0.5 QMGR=q MQERROR=AMQ5540 MQERRORMSG=" Application 'WebSphere MQ Client for Java' did not supply a user ID and password EXPLANATION: The queue manager is configured to require a user ID and password, but none was supplied. ACTION: Ensure that the application provides a valid user ID and password, or change the queue manager configuration to OPTIONAL to allow applications to connect which have not supplied a user ID and password."

props.conf below will solve my purpose

TIME_PREFIX = ^         
TIME_FORMAT = %Y-%m-%d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 20
SHOULD_LINEMERGE = False
LINE_BREAKER = ([\n\r]+)\d{4}-\d{2}-\d{2}\s\[^A-Za-Z]\d{2}:\d{2}:\d{2}

Will above solve my purpose, sorry for bothering.
Thanks

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

You need to place the script in bin only if you configure by relative path, otherwise you can configure the full path. But if you are able to do it with an app, that's perfect. Just make sure that the script is apps/your app name/bin/
Please test your configuration once

Happy Splunking!
0 Karma

splunker9999
Path Finder

Hi,

Although we kept scipr in /etc/app/appname/bin/script.ksh it is not some how it is not executing, is there any thing we need to cheeck

[script://./bin/script.ksh]
  disabled = false
index = dev_scr
sourcetype=dev_stats
interval = 1800
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

splunkd.log should give some hint about the problem,

  • Check the permission of script. Make sure that it has execution permission
  • Try to execute the script as splunk user on the machine and see if it's executing
  • Restart the forwarder if you haven't done.
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...