Re: scripted input

riotto · ‎06-16-2017

I have a korn shell that creates a log. I want to run the script via the inputs.conf, every Monday at 5am. I don't want the log of the script to be sent to the indexer yet, only to the log, and then at a different time I will monitor the log for input to the splunk indexer. The path to the script is /home/xxxx/my.ksh

What exactly does the inputs.conf need to look like just to get the file to run at that time? I can add the monitor file without a problem

Thanks

riotto · ‎06-16-2017

I looked all over and don't see a good example, I am really just using the splunkforwarder to run the job, like cron would.
If I move the script to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin , I think the inputs.conf needs to be just this:

[script://./bin/my.ksh]
interval = 604800

This will run the script just once a week - nothing sent to the indexer

Does this look right?

woodcock · ‎06-16-2017

Check out the *NIX TA app on splunkbase; it is chock full of examples.

riotto · ‎06-16-2017

where exactly do I find this?

woodcock · ‎06-16-2017

https://splunkbase.splunk.com/app/833/

riotto · ‎06-16-2017

I think that like goes to where I can add the Nix add-on...? I don't really see any examples ?

woodcock · ‎06-16-2017

You can download the app, unzip it (rename to *.tgz), and look at the examples in the inputs.conf file.

scripted input

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases