I have a dbquery that outputs the 5 fields needed for the inputs.conf file used in the Website Monitoring app.
I would like to automate the writing from the dbquery into the format of the .conf file
[web_ping://Sharepoint]
interval = 15m
title = Sharepoint
url = https://collaboration.sp.local
user_agent = Splunk Website Monitoring (+https://splunkbase.splunk.com/app/1493/)
How can I convert the 5 fields to write in this way and not in a CSV file like I am used too?
The five field are like this
mysearch | eval ping=("[web_ping://".'CI Name'."]") | eval interval=("interval = 15") | eval title='CI Name' | eval url=("url = ".'URL') | eval agent=("user_agent = Splunk Website Monitoring (+".'URL'.")") | fields ping interval title url agent
Thanks in advance
Version 1.6 of the Website Monitoring app allows you to create inputs in batch. In that case, you just need to paste in a list of comma separated list of URLs. See the "Create inputs" view.
I don't think there's a native Splunk application to write your output into a .conf, you would need a custom script for this
The first question would be, what OS are you running?
What does your dbquery output look like? Does it list the 5 fields in a key-value pair? If so then I try to help you script this, I've done a good bit of automation in my day.
@skoelpin thanks for any help you can be. The OS is RHEL 6 the output is in key-value pairs as I am use the eval command to create the correct syntax for the outlput values. Check the eval commands in the above search. I use the bdquiry to get the 'URL' and 'CI Name' values. Then do the eval commandss to put those values in the right syntax for the CSV style output.
in the output I get the header row ping,interval,title,url,agent
then in each row after that I get the individual values, comma separated of course.
I can put this in word-processor and manipulate it like this;
this gives me the right format for the input.conf
If you could help with the automation of the "search and replace" as above that would help a great deal
This script will do exactly what you need to do. I made it as simple as possible.. Obviously you will need to refine it so it creates a single output file
#!bin/bash
#This will remove the first line in a file called splunk and send it to output
sed '1d' splunk.txt > output.txt
#This will strip the quotes from output.txt and save to output1.txt
sed 's/"//g' output.txt > output1.txt
#This will find a comma and replace it with a line break and output to a file called output2.txt
cat output1.txt | tr ',' '\n' > output2.txt
I wasn't sure what sample data you had so I went with this
[WebPing://Sharepoint]
interval = "15m"
title = "Sharepoint",
url = https://collaboration.sp.local,
user_agent = Splunk Website Monitoring (+https://splunkbase.splunk.com/app/1493/)
The output will look like this
interval = 15m
title = Sharepoint
url = https://collaboration.sp.local
user_agent = Splunk Website Monitoring (+https://splunkbase.splunk.com/app/1493/)
You could also add a few steps to turn off the Splunk forwarder, rename the current inputs.conf
to inputsOLD.conf
then rename outputs2.txt
to inputs.conf
move the new inputs.conf
to the /bin
DIR and then start splunk
We can also create a trigger on the search which can execute this script which will fully automate this process.. But I would recommend we thoroughly test and optimize the process before fully automating
Yeah we could use sed to accomplish this. I will jump on after work tonight and give this a shot
thanks much for the help. I haven't used sed before. I'm more of a windows guy but I have done a little perl and a few .sh simple scripts
And in addition, if you modify or add a .conf file, you have to restart Splunk!.
Bye.
Giuseppe
@cusello thanks for the response. I think the input.conf for this app will refresh with the new entries without having to restart splunk. if not I can automate , schedule, cron job the restart.