Splunk Searches from the command line not on a sea...

daniel333 · ‎04-24-2013

All,

Is it possible to run a search from the command line (linux) from just a random host on my network? Lets say I have a custom script that runs on a host and I'd like that script to take a certain action based on a count of a result from a search.

So I guess I am wondering if the universal forwarder can send searches back to the search head and return the results. If not, is there a way to handle this problem anyone is aware of?

kristian_kolb · ‎04-24-2013

Don't know if you can do it from a forwarder, but you certainly can from a full splunk;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/AccessandusetheCLIonaremoteserver
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/AboutCLIsearches

Requires that you have the proper (not default) credentials though.

/K

Ayn · ‎04-24-2013

If you make sure that the host can access port 8089 on the Splunk instance you want to search on, then sure! You can issue a search like this:

splunk search 'your search' -uri https://thesplunkinstancetosearch:8089

(standing in $SPLUNK_HOME/bin, or having it in your path)

kristian_kolb · ‎04-24-2013

damn my slow editing 🙂

Splunk Searches from the command line not on a search head

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases