To add scripted inputs:
A. Go to the Add New page
You add an input from the Add New page in Splunk Web. You can get there by two routes:
- Splunk Home
- Splunk Settings
Via Splunk Settings:
1. Click Settings in the upper right-hand corner of Splunk Web.
2. In the Data section of the Settings pop-up, click Data Inputs.
3a. Click Scripts to collect data from a script on the local machine. Or,
3b. Click Scripts under Forwarded Data to get data from a script running on a remote machine.
4. Click the New button to add an input.
Via Splunk Home:
1. Click the Add Data link in Splunk Home.
2. Click Monitor to monitor a script on the local machine, or Forward to forward data from a script on a remote machine. Splunk Enterprise loads the "Add Data - Select Source" page.
Note: Forwarding data from scripted inputs requires additional setup.
3. In the left pane, locate and select Scripts.
B. Select the input source
1. In the Script Path drop down, select the path where the script resides. Splunk Enterprise updates the page to include a new drop down, "Script Name."
2. In the Script Name drop-down, select the script that you want to run. Splunk Enterprise updates the page to populate the "Command" field with the script name.
Note: If you do not see the script you want, then you must use your operating system file management tools to put it there.
3. In the Command field, add any arguments needed to invoke the script.
4. In the Interval field, enter the amount of time (in seconds) that Splunk Enterprise should wait before invoking the script.
5. Optionally, In the Source Name Override field, enter a new source name to override the default source value, if necessary.
6. Click the green Next button.
C. Specify input settings
The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.
1. Select the source type for the script. You can choose Select to pick from the list of available source types on the local machine, or "Manual" to enter the name of a source type.
2. Select the appropriate Application context for this input.
3. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".
- Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
4. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
5. Click the green Review button.
D. Review your choices
After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.
Review the settings. If they do not match what you want, click the white < button to go back to the previous step in the wizard. Otherwise, click the green Submit button.
Splunk Enterprise then loads the "Success" page and begins indexing the specified Active Directory node.
Windows Active Directory
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0