Databases Reference
In-Depth Information
Using scripts to gather data
A scripted input in Splunk is simply a process that outputs text. Splunk will run the
script periodically, as configured in
inputs.conf
. Let's make a simple example.
The configuration
inputs.conf
inside your app would contain an entry as follows:
[script://./bin/user_count.sh]
interval = 60
sourcetype = user_count
The script in
bin/user_count.sh
could contain something as follows:
#!/bin/sh
DATE=$(date "+%Y-%m-%d %H:%M:%S")
COUNT=$(wc -l /etc/passwd | awk '{print "users="$1}')
echo $DATE $COUNT
This would produce output such as this:
2012-10-15 19:57:02 users=84
Good examples of this type of script are available in the Unix app available at
splunkbase.com
.
Please note that:
• New to Splunk 4.3:
interval
can be a cron schedule.
• If the name of the script ends in
.py
, Splunk will use its own copy of Python.
Remember that there is no Python included with Universal Forwarder.
• Use
props.conf
to control event breaking as if this output was being
read from a file.
• Set
DATETIME_CONFIG
to
CURRENT
if there is no date in the output.
• Set an appropriate
BREAK_ONLY_BEFORE
pattern if the events are multiline.
• Set
SHOULD_LINEMERGE
to
False
if the events are not multiline.
• Only one copy of each input stanza will run at a time. If a script should
run continually, set
interval
to
-1
.
Sizing indexers
There are a number of factors that affect how many Splunk indexers you will need,
but starting with a "model" system with typical usage levels, the short answer is 100
gigabytes of raw logs per day per indexer. In the vast majority of cases, the disk is
the performance bottleneck, except in the case of very slow processors.
Search WWH ::
Custom Search