About the Splunk Admin Manual

What's in the Admin Manual?

How Splunk Works

Overview of Splunk

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Troubleshooting

Scripted inputs

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Configuration
Example
props.conf

Scripted inputs

By configuring inputs.conf, Splunk can accept events from scripts. Scripted input is useful for command-line tools, such as vmstat, iostat, netstat, top, etc.

Note: Currently, scripted inputs do not get sent via the deployment server. In the future, Splunk will support this behavior. For now, use your preferred configuration automation tool to push your script directory to your server classes.

Note: On Windows platforms, use of text-based scripts such those in perl and python can be handled via the use of an intermediary window batch (.bat) file.

Caution: Scripted input-launched scripts inherit Splunk's environment, so be sure to clear environment variables which may affect your script's operation. The only environment variable that's likely to cause problems is the library path (most commonly known as LD_LIBRARY_PATH on linux/solaris/freebsd).

Configuration

Configure inputs.conf, using the following attributes:

[script://$SCRIPT] 
interval = X 
index = <index>
sourcetype = <iostat, vmstat, etc>  OPTIONAL
source = <iostat, vmstat, etc> OPTIONAL
disabled = <true | false>

script is the fully-qualified path to the location of the script.
- As a best practice, put your script in the bin/ directory nearest the inputs.conf where your script is specified. So if you are configuring $SPLUNK_HOME/etc/system/local/inputs.conf, place your script in $SPLUNK_HOME/etc/system/bin/. If you're working on an application in $SPLUNK_HOME/etc/apps/$APPLICATION/, put your script in $SPLUNK_HOME/etc/apps/$APPLICATION/bin/.
interval is in seconds.
- Splunk keeps one invocation of a script per instance. Intervals are based on when the script completes. So if you have a script configured to run every ten minutes and the script takes 20 minutes complete the next run will be 30 minutes after the first run.
- for constant data streams, enter 1 (or a value smaller than the script's interval).
- for one-shot data streams, enter -1.
- Note: Setting interval to -1 will cause the script to re-run each time the splunk daemon restarts.
index can be any index in your Splunk instance.
- Default is main.
disabled is a boolean value that can be set to true if you want to disable the input.
- Defaults to false.
sourcetype and source can be any value you'd like.
- The value you specify is appended to data coming from your script in the sourcetype= or source= fields.
- These are optional settings.

If you want the script to run continuously, write the script to never exit and set it on a short interval. This helps to ensure that if there is a problem the script gets restarted. Splunk keeps track of scripts it has spawned and will shut them down upon exit.

Example

This example shows the use of the UNIX top command as a data input source.

Start by creating a new application directory. This example uses scripts/:

$ mkdir $SPLUNK_HOME/etc/apps/scripts

All scripts should be run out of a bin/ directory inside your application directory:
$ mkdir $SPLUNK_HOME/etc/apps/scripts/bin
This example uses a small shell script top.sh:

$ #!/bin/sh
 top -bn 1  # linux only - different OSes have different paramaters

Make sure the script is executable:

chmod +x $SPLUNK_HOME/etc/apps/scripts/bin/top.sh

Test that the script works by running it via the shell:

$SPLUNK_HOME/etc/apps/scripts/bin/top.sh

The script should have sent one top output.
Add the script entry to inputs.conf in $SPLUNK_HOME/etc/apps/scripts/default/:

[script:///opt/splunk/etc/apps/scripts/bin/top.sh]
interval = 5                # run every 5 seconds
sourcetype = top        # set sourcetype to top
source = script://./bin/top.sh   # set source to name of script

props.conf

You may need to modify props.conf:

By default Splunk breaks the single top entry into multiple events.
The easiest way to fix this problem is to tell the Splunk server to break only before something that does not exist in the output.

For example, adding the following to $SPLUNK_HOME/etc/apps/scripts/default/props.conf forces all lines into a single event:

[top]
BREAK_ONLY_BEFORE = <stuff>

Since there is no timestamp in the top output we need to tell Splunk to use the current time. This is done in props.conf by setting:

DATETIME_CONFIG = CURRENT

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.11/Admin/ScriptedInputs"

« FIFO inputs Whitelist and blacklist rules »

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Scripted inputs

Contents

Scripted inputs

Configuration

Example

props.conf

Comments