We got an requirement to input data via script and I am new to it. so how to achieve it.
So how to achieve it...
Create a shell script:
touch ssecls_executer.sh
chmod +x ssecls_executer.sh
Paste this into the shell script:
#!/usr/bin/env bash
/opt/SYMCScan/ssecls/ssecls -server 127.0.0.1 /bin/ls
Copy the shell script to a bin folder in a splunk app of your choice
mkdir /opt/splunk/etc/apps/MyAPP
mkdir /opt/splunk/etc/apps/MyAPP/bin
cp ssecls_executer.sh /opt/splunk/etc/apps/MyAPP/bin
Make an inputs.conf that runs the script:
mkdir /opt/splunk/etc/apps/MyAPP/default
touch /opt/splunk/etc/apps/MyAPP/default/inputs.conf
Paste this into the inputs.conf:
[script:///opt/splunk/etc/apps/MyApp/bin/ssecls_executer.sh]
interval = 60 # OR whatever interval in seconds / cron schedule you want to execute on (see inputs.conf documentation)
index = indexName
sourcetype = ssecls_executer
source = ssecls_executer.sh
Restart splunk and profit.