Getting Data In

Invoke "oneshot" via remote CLI

bnolen
Path Finder

Is it possible to use the oneshot command from a remote server.

Essentially we have a series of logs that are not able to be accessed by a forwarder in the normal ways (because of permissions etc.) is it possible to use the oneshot function to get the logs into a remote indexer using the CLI?

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

No. Invoking the oneshot command (splunk add oneshot) causes the indexer to index a file locally on the indexer, regardless of how you invoke it.

However, if you're able to use the CLI from the machine where the data is stored, then you must have an instance of Splunk there. This instance could certainly be set up as a forwarder with outputs to the indexer, and no inputs. You can then call oneshot locally, and it would forward the data. I guess I don't really see a normal situation where you'd be able to use the CLI locally but not be able to forward.

Of course if it is oneshot, you can always just copy the files over to the indexer using some other method (scp, sftp, whatever) and then oneshot them or place them in the batch directory.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

No. Invoking the oneshot command (splunk add oneshot) causes the indexer to index a file locally on the indexer, regardless of how you invoke it.

However, if you're able to use the CLI from the machine where the data is stored, then you must have an instance of Splunk there. This instance could certainly be set up as a forwarder with outputs to the indexer, and no inputs. You can then call oneshot locally, and it would forward the data. I guess I don't really see a normal situation where you'd be able to use the CLI locally but not be able to forward.

Of course if it is oneshot, you can always just copy the files over to the indexer using some other method (scp, sftp, whatever) and then oneshot them or place them in the batch directory.

gkanapathy
Splunk Employee
Splunk Employee

rather, you should have no problem running oneshot on the forwarder where your files are. even if you could run oneshot remotely (I guess you could), it wouldn't do what you want. running it locally does.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I suppose my point is that if you can run oneshot, you can run a forwarder to forward to the indexer. Oneshot works locally where it is run. Hence, you have no problem.

0 Karma

bnolen
Path Finder

The indexer is managed by a 3rd party hence I have no "direct" access to its file system. The logs are transferred once a day by scripts and the locations are only accessible by interactive logins, hence the oneshot requirement.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...