Hello. Welcome back to the Split Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing a lab to go over scripted inputs and Splunk
basically, how you set it up, what kind of things you might be able to do with this and some differences between running a power shell script versus Python script versus the Bash script. And then
we'll set up a basic one and go over that
just to show the data getting ingested in a Splunk. And then at the end, I'll probably go over. Ah, more complicated script that I've written in the past. Eso Let's get started by first. Let's just open up the inputs documentation. And so there's
basically two stanzas that are relevant to
funny that we opened directly to it. So there's There's two stands is that essentially are relevant to this conversation. There's the script stands up, which is used to run either a, um,
a batch or a bash or a Python script.
And then there's also the power show,
uh, stanza, which is used to run power shell script using Splunk power shell. So
this is a very important thing to note you need to put your scripts in one of these directories. Generally you're gonna deploy it through an app so your script should reside in this vile and then
syntax to specify the path. So if you put a dot, this will inherently mean that it is within the current app directory. So whatever app this input is in, check that APP directory
been and then the name of the script. So this is the way you should always do it
put your script in your app name been
and then reference the script name using this syntax. That is how you should always do this
speaking just reiterating that So that's the most important things from here. Then you said interval. So this basically tell Splunk how often to run the script if you use, uh, negative one, then it oil run once on startup and that is it.
If you specify zero, it will run continuously as soon as it stops. It already start it. And then you can also specify any number of seconds to say every this many seconds run or you could specify a Cron schedule using this syntax so
those are the important things about Interval. This is gonna be something you always set with a script input. So it's very important.
Uh, you specify what user on the script as this might matter for permissions and stuff, but I or
this morning matter, I've never used it.
Uh, you specify which version of Python? Not super important indexes where the data will be sent. Whatever Dad has generated by your script,
you should always specify that should generally sign it. A source tied.
Those are the important things that you'll need for this input on. Let's just quick take a look at the power shell input as well.
it doesn't look like it's
there we go. So power shell is slightly different than the General,
um, script input. So you set it to power show and then you give it an arbitrary name. Does not matter what you call this,
then you specify the script equals the specific file that you want to use. Um,
not sure it doesn't say if you can specify it the way you do with script stanza. So I would specify
absolute path using *** Home variable.
So it would be like Splunk home at sea. APS app. Name been
Then, instead of using Interval, you says schedule. This accepts basically the same settings as Interval,
and that's basically the important thing. Then you would also set index, and those are the key.
This is the key configurations to make for either a
script input or power shell input. So let's go through the process of
making one of these really quick so we'll be on our search head.
a script for I guess we'll just have it
it doesn't matter which device. I guess we put it on. But I mean a
do the search had just for he's.
So we're gonna add a new AB
and we'll need been on. Then we'll also need
default for input stock off.
So let's write a script really quick.
We'll call it test. Uh,
so we're on Ah Lennox box here and it has Splunk enterprise installed. So we have two options here. If your own Splunk enterprise, you always have a full insult python. So you can write a python script, uh, or if you.
I would like you can also write the script relevant to the operating system. So in this case, we could write a bash
script if we wanted. I think that I will
So we got to specify it has been a It's been a minute. So
see what looks right
Tell you what shell to use. I'm not 100% sure on the order on that. I do probably
have some sample scripts somewhere, Possibly in here.
so Yeah, I was a rate been bash. So we'll just dio
And let's just run that to see that it works.
It won't work because first we need to make it execute Herbal.
Also, I did not mean to put period there, So let's Teoh.
Actually, I could have done it. I can do this Splunk because I own that whole directory. So let's dio ch mod plus x Teoh Splunk.
That's see ABS. My test
test on stage and then we can
brought it so it'll print hello world. So networks. So now let's write our input.
Oh, my abs, My test script
we'll need to put stock cough
And like we said, we're gonna specify in this app
Then we'll say in next People's main source type equals test script
and we'll specify our interval.
And we will say, Let's run this every
two seconds every 10 seconds. That's more recently
So we will write, Quit and then we will restart Splunk so that this input gets loaded and then we'll go over to
our search head Web Consul and watch some of these events come in.
So just a little bit of waiting. And then once we do this, all go over a more complicated script. This was really just to demonstrate. You know what configurations you need to make you need to actually have the script. You need to make sure that has proper permissions to be executed, and then you need an input stock off so that it gets called
So with the index, it was made source type equals test script,
and you can see if I said this to like a one minute real time search. You'll see this continuously get
and keep popping up in here every 10 seconds.
There's another one. So that works. That's cool. Let's let let me show you. Also,
the internal logs you can use for troubleshooting this if you run into any problems, I think the component healed us. What we care about and it should be should contain exact
Yeah. So yeah, exact processors. So that's actually the full name.
And you can see if you wanted to add some more so that basically this says Hannu execute Herbal was scheduled to be run and then you can see here This is our our actual test strip. So
if there were errors, you would be able to see that as well. A common one is if you don't
specify the path correctly and split, can't find the file, then that could be an issue. And you would see an air log message. Or with that, another one would be if it was supposed to be run by, like, power shell or something. And like the box didn't have permission to run it. You would see an era log.
There is probably a couple others, but this is where you go to troubleshoot this.
So just so that you're aware
eso that basically covers that. So now I just want to show you like a sample script that I had set up for customer, um,
to see kind of how how powerful this option could be. Obviously
you essentially have remote, arbitrary code execution. So you do whatever you want within reason. I mean, there might be controls on the actual device. So,
for example, this is a script I had written because they had a bunch of devices that were being renamed and Splunk when you first started. Generates a local inputs dot com with the hosting value equal to whatever the host name value was at the time of boot.
And they had these devices that were being migrated and renamed.
And so now they were still reporting with the old host name value. Uh, so the logs were not being attributed to the proper host.
So I wrote a script that Mrs Power Shell that just grabbed whatever the computer hosts name Waas and then compared
Well, then it check to see if
And if it did, then it would basically
extract whatever the host equals value us. That's what this reject says and accounts for. Maybe if you had,
um, spaces around your equal sign or not,
sets the variable to whatever this match was, and then it does a comparison to see if these are the same. And if they're not, then it rewrites. The file spits out a message saying it was rewritten if it didn't exist. That creates a new one and sets the value properly.
And if they already matched it says it doesn't do anything and exits.
if there was a change that need to be done, it removes the app
that the file came in and
because this app is configured to restart Splunk
when it's downloaded. Basically, this was just like my clever way to get a restart so that this setting this new inputs dot com setting would
be applied. So basically, at the end of the script, if a change was made, the APP gets deleted. The app then gets sent again. Script gets running in,
and this time since the script corrected last time, he does not delete itself, and then it just runs on its normal schedule. So this is like one example of a cool thing you could do with a scripted input really just depends on a use case by case basis, what comes up
and then how creative and how
Compton your at scripting. So that's basically everything you need to know about.
how do you scripted inputs? Just keep in mind that if you're using Splunk power, Shell used the power shell stanza. If you're using python or bash or batch, then you can use the script stands up and remember that there's some subtle differences between how you use that. So be sure to reference the documentation if you're foggy on that.
But this should be enough to get you started and hopefully setting up your own scripted inputs and Splunk
so thank you, and I'll see you in the next video.