Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do we need to have universal forwarder installed in host server when we are going for scripted inputs?

raj_mpl
Path Finder
‎11-21-2018 11:03 PM

Hi All,

A straight question
1) If I want to get the database related log into splunk indexer using scripted inputs , does the Universal forwarder needs to be installed in host ?
2)If Yes , How to make the scripted input to send the log into indexer ?

Thank you !

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2018 04:13 AM

Hi raj_mpl,
if you use a scripted inputs it's better to install a Universal Forwarder on the target server for many reasons (cache, bandwidth optimization, compression, etc...), I don't like to run a remote script.

Anyway, to do this, you have to:

  • install the Splunk Universal Forwarder on the target server,
  • create a Technical Add-on (TA),
  • put your script in $your_TA/bin,

  • edit $your_TA/local/inputs.conf and adding a stanza like the following.

    [script://./bin/your_script.sh]
    disabled = 0

    Run once per minute

    interval = 60
    sourcetype = your_sourcetype
    index = your_index

  • then restart the Universal Forwarder.

It's better to deploy this TA using a Deployment Server.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

darrenfuller
Contributor
‎11-22-2018 08:43 AM

Hi @raj_mpl,

Sure, Universal Forwarder is the preferred method to transfer scripted input data, but UF is not the only way to get the output of a script into Splunk.

There are plenty of reasons i can think of to not install a forwarder.. Unsupported OS; Corporate Security policies against agents; Oversubscribed boxes with limited resources; Because you don't want to.

Here is a method off the top of my head...

  1. Create script that does $things$
  2. Install script on the target server
  3. Run script from cron and output result to file
  4. Transmit log file to remote syslog server
  5. Install UF on syslog server to forward data into Splunk.

To make your life easier, have the script output one event per line, include a timestamp, and maybe use JSON or csv formatting to get the auto-field-extraction fun.

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

raj_mpl
Path Finder
‎11-22-2018 10:22 PM

Thanks @darrenfuller , Your inputs are worth to me

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2018 04:13 AM

Hi raj_mpl,
if you use a scripted inputs it's better to install a Universal Forwarder on the target server for many reasons (cache, bandwidth optimization, compression, etc...), I don't like to run a remote script.

Anyway, to do this, you have to:

  • install the Splunk Universal Forwarder on the target server,
  • create a Technical Add-on (TA),
  • put your script in $your_TA/bin,

  • edit $your_TA/local/inputs.conf and adding a stanza like the following.

    [script://./bin/your_script.sh]
    disabled = 0

    Run once per minute

    interval = 60
    sourcetype = your_sourcetype
    index = your_index

  • then restart the Universal Forwarder.

It's better to deploy this TA using a Deployment Server.

Bye.
Giuseppe

Reply
Solved! Jump to solution

raj_mpl
Path Finder
‎11-22-2018 10:24 PM

Thanks @cusello , Its very clear that you have explained here .

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...