Is there a script that grabs the output of the "l...

Hemnaath · ‎01-17-2018

Hi All, Currently we wanted to monitor a file on a remote UNIX machine and for which we are looking out for a script that can fetch the " last command" data from the Unix Operating system and ingest the same in splunk, as other scripts like who.sh, lastlogin.sh top.sh etc available in Splunk-TA-nix add-on.

So kindly guide me on this.

nickhills · ‎01-17-2018

With reference to your other post https://answers.splunk.com/answers/610697/how-do-i-collect-the-results-of-wholast-on-unix-ma.html

If you have installed the splunkforwarder on the target, its not really a remote machine, as you are collecting files locally using the UF.
Your simplest course of action is to install the Splunk provided unix TA and configure the inputs accordingly.

All the TA is doing in this case, is calling (and formatting) the stdout results from those commands, and comes shipped with appropriate inputs, props and transforms to get that data into splunk in an indexed and normalised format.

lastlog.sh is invoking "last" in exactly this way

If my comment helps, please give it a thumbs up!

Hemnaath · ‎01-27-2018

Hi Nickhill, Yes you are right but its not reading the wtmpx file (binary file) from this location /var/adm/wtmpx. and I hope this is not built in the lastlog.sh script. So we decided to write a script that can read this binary file and write it to a normal txt file but at the same time it script should be in such away that it is not re-indexing the same file again and again. So could please guide me on this request to create a script which can read and write a binary file into a normal txt file.

thanks in advance.

Is there a script that grabs the output of the "last" command similar to other .sh script in Splunk-TA-nix ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life