Splunk supports scripted inputs (where splunk calls a script and indexes the results). But what about the reverse: can I run a script from outside Splunk to inject events into Splunk?
The particular case I'm thinking of is correlating alerts produced by another management tool (e.g. SiteScope or Tivoli) with data already stored in Splunk. The other management tools have the ability to run a command-line program or script in response to an alert, but what program should I call in order to inject data into Splunk?
Another case is manually reporting human status into splunk. For example, imagine if I could type this at the command line:
I realize there are workarounds here, like piping the output of the script into a directory and having splunk index that directory, but I'm wondering if there's a direct connection possible without a directory as an intermediary.
Splunk 4.0 has an experimental input endpoint located at:
which takes a POST request. To submit your example code, the HTTP request looks like:
The entire body of the POST will be treated as the raw event and will be sent through the classifier, aggregator, timestamper, and typer.
The built-in python SDK has methods around this, located at:
On a desktop machine, the new event will be available in the index within 20 seconds or so; within 3 seconds if running a real-time search beforehand.
answered 13 Jan '10, 18:06
if this is a UNIX system you can use logger(1) to log a message using syslog:
in your /etc/syslog.log add a line as follows:
and in splunk.example.com add a udp input on port 514.
answered 13 Jan '10, 19:57
you could also try this from the command line:
answered 13 Jan '10, 21:31
Other things you can do is, if you have a UDP or TCP input set up on your indexer, just use ncat or nc to send a line or a whole file to Splunk. Windows and Linux and Mac. e.g UDP:
echo "blah blah blah" | ncat -u splunkhost 514
ncat -u < myfileinput.log
ncat for Windows and Mac is at http://nmap.org/ncat/
nc is builtin on Linux (also on Mac, but doesn't seem to send UDP).
answered 13 Jan '10, 23:26
If going of the network is somehow inconvenient (not a fan of nc), you can also set up a FIFO (named pipe) input and write your data to this. This has the positive that the flow control will give you a good idea when the data has been fully accepted. It has of course the negative of all transient data interfaces that it will be difficult to review in case of a problem.
This is most appropriate when your source data is relatively persistent so you can handle discontinuities in service.
answered 14 Jan '10, 01:32