Splunk Cloud Platform

Developing Views and Apps for Splunk Web

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Scripted inputs overview

During indexing, Splunk software uses line termination characters and timestamps to parse incoming data into events. Fields common to all events, such as host, source, sourcetype, eventtype, timestamp, linecount, are then extracted. Custom per-event fields, such as username and transactionId, are also extracted.

You might want to use scripts to send data for indexing, or to prepare data from a non-standard source so that events and extracted fields can be properly parsed. You can use shell scripts, python scripts, Windows batch files, PowerShell, or any other utility that can format and stream the data that you want to index.

You can use a script to stream data or to write the data from a script to a file.

Streaming data
In this scenario, the script is started at a specified interval. The platform indexes the stdout data stream from the script.
Prior to starting the script, the system checks to see If the script is already running. If it is currently running, the script is not restarted.
Writing data to a file for indexing
This scenario works like a file input. You create a script to write to a log file and then configure your Splunk deployment to monitor and index this log file.
You can configure your Splunk deployment to launch the program at specific intervals, rather than configuring an external method (such as cron or Windows scheduled task) to launch the script.

Use cases for scripted inputs

Typical use cases for scripted inputs include the following.

  • Access data that is not available as an ordinary file.
  • Access data that cannot be sent using TCP or UDP.
  • Stream data from command-line tools, such as vmstat and iostat.
  • Poll a database, web service, or API for specific data and process the results.
  • Reformat complex data to more easily parse the data into events and fields.
  • Maintain data sources with slow or resource-intensive startup procedures.
  • Provide special or complex handling for transient or unstable inputs.
  • Scripts that manage passwords and credentials
  • Wrapper scripts for command line inputs that contain special characters (see Using a wrapper script in Getting Data In )

Additional resources

Get data from APIs and other remote data interfaces through scripted inputs in the Getting Data In manual details how to add a scripted input using Splunk Web and how to manually edit the inputs.conf file to add a scripted input. This section focuses on script structure, and provides tips and examples to help you create your own scripts.

For information about working with external lookups to add fields from external sources to events, see Configure external lookups in the Knowledge Manager Manual.

For more information on the data that you can index, see What Splunk software can index in the Getting Data In manual.

Last modified on 08 September, 2021
Modular inputs examples
Setting up a scripted input

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2006, 8.1.2009, 8.1.2011, 8.0.2007, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters