Scripted inputs overview
During indexing, Splunk software uses line termination characters and timestamps to parse incoming data into events. Fields common to all events, such as
linecount, are then extracted. Custom per-event fields, such as
transactionId, are also extracted.
You might want to use scripts to send data for indexing, or to prepare data from a non-standard source so that events and extracted fields can be properly parsed. You can use shell scripts, python scripts, Windows batch files, PowerShell, or any other utility that can format and stream the data that you want to index.
You can use a script to stream data or to write the data from a script to a file.
- Streaming data
- In this scenario, the script is started at a specified interval. The platform indexes the
stdoutdata stream from the script.
- Prior to starting the script, the system checks to see If the script is already running. If it is currently running, the script is not restarted.
- Writing data to a file for indexing
- This scenario works like a file input. You create a script to write to a log file and then configure your Splunk deployment to monitor and index this log file.
- You can configure your Splunk deployment to launch the program at specific intervals, rather than configuring an external method (such as cron or Windows scheduled task) to launch the script.
Use cases for scripted inputs
Typical use cases for scripted inputs include the following.
- Access data that is not available as an ordinary file.
- Access data that cannot be sent using TCP or UDP.
- Stream data from command-line tools, such as
- Poll a database, web service, or API for specific data and process the results.
- Reformat complex data to more easily parse the data into events and fields.
- Maintain data sources with slow or resource-intensive startup procedures.
- Provide special or complex handling for transient or unstable inputs.
- Scripts that manage passwords and credentials
- Wrapper scripts for command line inputs that contain special characters (see Using a wrapper script in Getting Data In )
Get data from APIs and other remote data interfaces through scripted inputs in the Getting Data In manual details how to add a scripted input using Splunk Web and how to manually edit the
inputs.conf file to add a scripted input. This section focuses on script structure, and provides tips and examples to help you create your own scripts.
For information about working with external lookups to add fields from external sources to events, see Configure external lookups in the Knowledge Manager Manual.
For more information on the data that you can index, see What Splunk software can index in the Getting Data In manual.
Modular inputs examples
Setting up a scripted input
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.1.2009, 8.1.2011, 8.0.2007, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106