Scripted inputs
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Scripted inputs
By configuring inputs.conf, Splunk can also accept events from scripts.
Scripted input is useful for and command-line tools, such as vmstat, iostat, netstat, top, etc.
Please note: currently, scripted inputs do not get bundled in the deployment server. In the future, Splunk will support this behavior. For now, please use your preferred configuration automation tool to push your script directory to your server classes.
Configuration
- Create a new directory under
$SPLUNK_HOME/etc/bundles/.- For example, make a directory called
scripts/. - This will be the location of your new scripts bundle.
- For example, make a directory called
- In your new
scripts/directory, create a directorybin/to contain the actual script.
Please note: your script must be in the bin/ directory underneath your scripts/ directory.
- Add the following lines to
$SPLUNK_HOME/etc/bundles/scripts/inputs.conffile:
[script://$SCRIPT]
interval = X
index = {main, $YOUR_INDEX}
sourcetype = {iostat, vmstat, etc} OPTIONAL
source = {iostat, vmstat, etc} OPTIONAL
disabled = false
Variables:
-
scriptis the fully-qualified path to the location of the script -
intervalis in seconds- for constant data streams, enter 0
- for one-shot data streams, enter -1
- Please note: this will re-run each time the splunk daemon restarts
-
indexcan be any index in your Splunk instance -
disabledis a boolean value that can be set to true if you want to disable the input -
sourcetypeandsourcecan be any value you'd like. Optional.
Example
This example shows the use of the UNIX top command as a data input source.
- Start by creating a new bundle directory. We will use
scripts/:
$ mkdir $SPLUNK_HOME/etc/bundles/scripts
- All scripts should be run out of a
bin/directory inside your bundle directory: -
$ mkdir $SPLUNK_HOME/etc/bundles/scripts/bin - In this example we will create a small shell script
top.sh:
$ #!/bin/sh top -bn 1 # linux only - different OSes have different paramaters
- Make sure the script is executable:
chmod +x $SPLUNK_HOME/etc/bundles/scripts/bin/top.sh
- Test that the script works by running it via the shell:
$SPLUNK_HOME/etc/bundles/scripts/bin/top.sh
- The script should have sent one
topoutput. - Add the script entry to
inputs.confin$SPLUNK_HOME/etc/bundles/scripts:
[script:///opt/splunk/etc/bundles/scripts/bin/top.sh] interval = 5 # run every 5 seconds sourcetype = top # set sourcetype to top source = script://./bin/top.sh # set source to name of script
Please note:
- You will need to restart your Splunk server for these changes to take effect.
- You may need to modify props.conf:
- By default Splunk will break the single
topentry into multiple events. - The easiest way to fix this problem is to tell the Splunk server to break only before something that will not exist in the output.
- For example, adding the following to
$SPLUNK_HOME/etc/bundles/scripts/props.confwill force all lines into a single event:
- By default Splunk will break the single
[top] BREAK_ONLY_BEFORE = GobblyGook
- Since there is no timestamp in the top output we will need to tell Splunk to use the current time. This is done in
props.confby setting:
DATETIME_CONFIG = CURRENT
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.