Simplifying the status quo
I’m often thinking about potential sources of data for Splunk and how to facilitate getting this data into Splunk in the simplest manner possible.
And what better source of data than existing programs on your operating system that already do the heavy lifting for you.
Now this is nothing new to Splunk , we’ve always been able to wrap up a program in a scripted input, execute it, transform the output and pipe it into Splunk.
But rather than going and creating many of these specific program wrappers for Splunk each time you need to capture a program’s output , why not create 1 single Modular Input that can be used as a generic wrapper for whatever program output you want to capture ?
Well , that’s just what I have done.The Command Modular Input is quite simply just a wrapper around whatever system programs that you want to periodically execute and capture the output from ie: (top, ps , iostat, sar ,vmstat, netstat , tcpdump, tshark etc…). It will work on all supported Splunk platforms.
Download and Install
Head on over to Splunkbase and download the Command Modular Input.
Untar to SPLUNK_HOME/etc/apps and restart Splunk
Setup
Login to Splunk and browse to Manager->Data Inputs
Setup a new command input
List command inputs you have setup
Search your command output
Custom Output Handlers
You may want to transform and process the raw command output before sending it to Splunk.So to facilitate this you can provide your own custom output handler.
This is a Python class that you should add to the command_ta/bin/outputhandlers.py module.
You can then declare this class name and any parameters in the Command setup page.
Streaming vs Non Streaming Command Output
Some commands will keep STD OUT open and stream results. An example of such a command might be tcpdump.
For these scenarios ensure you check the “streaming output” option on the setup page.