Scripted inputs

Scripted inputs

By configuring inputs.conf, Splunk can also accept events from scripts. Scripted input is useful for command-line tools, such as vmstat, iostat, netstat, top, etc.

Note: Currently, scripted inputs do not get bundled in the deployment server. In the future, Splunk will support this behavior. For now, use your preferred configuration automation tool to push your script directory to your server classes.

Configuration

• Create a new directory under $SPLUNK_HOME/etc/bundles/.
  • For example, make a directory called scripts/.
  • This is the location of your scripts bundle directory.
• In your new scripts/ directory, create a directory bin/ to contain the actual script.

Note: Your script must be in the bin/ directory underneath your scripts/ directory.

• Add the following lines to $SPLUNK_HOME/etc/bundles/scripts/inputs.conf file:

[script://$SCRIPT] 
interval = X 
index = {main, $YOUR_INDEX}
sourcetype = {iostat, vmstat, etc}  OPTIONAL
source = {iostat, vmstat, etc} OPTIONAL
disabled = false

Variables

• script is the fully-qualified path to the location of the script
• interval is in seconds
  • for constant data streams, enter 0
  • for one-shot data streams, enter -1
  • Note: this will re-run each time the splunk daemon restarts
• index can be any index in your Splunk instance
• disabled is a boolean value that can be set to true if you want to disable the input
• sourcetype and source can be any value you'd like. Optional.

Example

This example shows the use of the UNIX top command as a data input source.

• Start by creating a new bundle directory. We will use scripts/:

$ mkdir $SPLUNK_HOME/etc/bundles/scripts

• All scripts should be run out of a bin/ directory inside your bundle directory:
• $ mkdir $SPLUNK_HOME/etc/bundles/scripts/bin
• This example uses a small shell script top.sh:

$ #!/bin/sh
 top -bn 1  # linux only - different OSes have different paramaters

• Make sure the script is executable:

chmod +x $SPLUNK_HOME/etc/bundles/scripts/bin/top.sh

• Test that the script works by running it via the shell:

$SPLUNK_HOME/etc/bundles/scripts/bin/top.sh

• The script should have sent one top output.
• Add the script entry to inputs.conf in {{$SPLUNK_HOME/etc/bundles/scripts}:

[script:///opt/splunk/etc/bundles/scripts/bin/top.sh]
interval = 5                # run every 5 seconds
sourcetype = top        # set sourcetype to top
source = script://./bin/top.sh   # set source to name of script

Note:

• You must restart your Splunk server for these changes to take effect.
• You may need to modify props.conf:
  • By default Splunk breaks the single top entry into multiple events.
  • The easiest way to fix this problem is to tell the Splunk server to break only before something that does not exist in the output.
  • For example, adding the following to $SPLUNK_HOME/etc/bundles/scripts/props.conf forces all lines into a single event:

[top]
BREAK_ONLY_BEFORE = GobblyGook

• Since there is no timestamp in the top output we need to tell Splunk to use the current time. This is done in props.conf by setting:

DATETIME_CONFIG = CURRENT