Forums: SplunkPreview: Help testing scripted event

Previous Topic: Permission denied db-hot | Next Topic: How to monitor logs in other machine?

Posts 1–2 of 2 | Post to this topic

posted by: sfloyd | posts
date: June 27, 2008
permalink

Splunk: Windows Preview
OS: Windows XP

I have followed the instructions for scripted events. I have created a batchfile called "heh.bat" and placed it in the following folder "C:\Program Files\SplunkPreview\etc\bundles\scripts\bin". I have confirmed the script is executable.

I added the following to inputs.conf in {{$SPLUNK_HOME/etc/bundles/scripts

[script:$SPLUNK_HOME\etc\bundles\scripts\bin\heh.bat]
interval = 5
index = {main}
sourcetype = tasklist
source = script:./bin/heh.bat
disabled = 0

I modified the $SPLUNK_HOME/etc/bundles/scripts/props.conf file because this was a multiline event

[tasklist]
BREAK_ONLY_BEFORE = GobblyGook
DATETIME_CONFIG = CURRENT

I restart splunk, but this does not work.

posted by: araitz | posts
date: June 27, 2008
permalink

change:

index = {main}

index = main

If you are still having problems, change the script path to the full path without using $SPLUNK_HOME.

If you are still having issues after that, post up any events from splunkd.log involving your script.

Post to this topic

You must be logged in to post a reply.

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink:

Browse all videos » « Close window and return to article