How to correctly setup scripted (bash script) on f...

hamidseleman · ‎05-08-2018

Hi,
I've been googling for weeks but to no avail on how to correctly setup scripted input on HF to massage input forwarded from UF.
Following is simple setup for inputs:

inputs.conf in UF
[monitor:///path-to-log/file.txt]
sourcetype = mysourcetype
index = myindex
crcSalt = <SOURCE>
disabled = false

inputs.conf in HF
[script://./bin/scripts/massager.sh]
sourcetype = mysourcetype
index = myindex
interval = 60.0
disabled = false

Sample setup or link highly appreciated.

Thanks.

adonio · ‎05-08-2018

hello there,

can you please elaborate?
what is it that you are trying to achieve?
you dont need any script on HF to send data that is coming from the UF, only configure inputs and outputs

hamidseleman · ‎05-08-2018

Hi,
I am trying to massage raw log sourced at UF by running script at HF before handing off data to Indexer. I dont want to run script at UF end. This is to free up UF from additional processing requirement.

jkat54 · ‎05-08-2018

You’ll have to “massage” the data using props and transforms on the HF and possibly the UF.

See this article: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

hamidseleman · ‎05-09-2018

Thanks but for some reason I need to work with scripts.

adonio · ‎05-09-2018

@hamidseleman
i am not sure what exactly you are trying to achieve and why would you have to work with scripts.
you can massage the raw data from the UF at the HF using props and transforms.

hamidseleman · ‎05-09-2018

Hi,
what i am trying to achieve mostly is already stated exactly in the question itself. Anyway, thanks.

How to correctly setup scripted (bash script) on forwarded input (UF) in HF via CLI or configuration?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases