The dojo of Splunk. Learn, share, teach, mentor.
Need help with scripted input for remote network device
I want to index result of command on remote network device. I understand that App "splunk for unix" can index result of statistics command such as "top", "ps" ,"vmstat". This App is useful when I index result of the command on the localhost, not remote server. My current target network device can not be installed as splunk forwarder either, so I am looking for the method to achieve my purpose.
I developed a script which log in the remote network device and execute a certain command. When I use this as scripted input on splunk indexer, splunk index all the operation including login process although I just want to index the result of specified command.
I would appreciate if anybody share with me solution for this.
I developed a script which log in the remote network device and execute a certain command. When I use this as scripted input on splunk indexer, splunk index all the operation including login process although I just want to index the result of specified command.
I would appreciate if anybody share with me solution for this.
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
Takamasa...
Can you give me a sample of the whole output that splunk is indexing... if you have control over the output, there are some "header commands" you can insert into the script to control how indexing happens...
More details, more answers!
-
Permalink Reply by Takamasa Sasaki on -
Thank you for prompt reply. Please let me explain what I am doing. There are three steps to index result of a command on the remote network device.
1. Splunk execute following shell script every 300 seconds as scripted input.
#!/bin/bash
#
/usr/bin/expect $SPLUNK_HOME/etc/apps/search/bin/sample-expect 172.16.xx.xx yyyy zzzz
2. Then, the expect script "sample-expect" is executed.
Please note that I am using "expect" in order to log in remote network device and execute specified command on the device. In the expect shell, I am using "puts $expect_out(buffer)" in order to output the result of specified command and index them by splunk.
3. Following is the whole output that splunk indexed.
I do not need first two lines and last line that is command prompt. What I want to do is to avoid indexing these lines.
##################################################################
show arp table
Ethernet-switching table: 514 entries, 500 learned
VLAN MAC address Type Age Interfaces
ADMIN * Flood - All-members
ADMIN 00:17:cb:8b:20:xx Learn 1:55 ae0.0
ADMIN b0:c6:9a:6c:2d:xx Learn 2:37 ae0.0
ADMIN b0:c6:9a:6c:76:xx Static - Router
ADMIN b0:c6:9a:6c:78:xx Learn 3:05 ae0.0
ADMIN b0:c6:9a:6c:83:xx Learn 0 ae0.0
ADMIN b0:c6:9a:6c:83:xx Learn 0 ae0.0
BRIDGE * Flood - All-members
BRIDGE 00:17:c5:14:b9:xx Learn 0 ae0.0
user1@xxxxyy-1>
##################################################################
I would appreciate if you give me advice to achieve my purpose.
-
Permalink Reply by Takamasa Sasaki on
-
Please let me know if I need to explain more details. Thank you for your assistance.
Videos
Latest Splunk Community Postings
© 2010 Created by Michael Wilde.
Powered by 
.
