Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello. Welcome back to the Split Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing a lab to go over scripted inputs and Splunk
00:09
basically, how you set it up, what kind of things you might be able to do with this and some differences between running a power shell script versus Python script versus the Bash script. And then
00:23
we'll set up a basic one and go over that
00:26
just to show the data getting ingested in a Splunk. And then at the end, I'll probably go over. Ah, more complicated script that I've written in the past. Eso Let's get started by first. Let's just open up the inputs documentation. And so there's
00:44
basically two stanzas that are relevant to
00:48
funny that we opened directly to it. So there's There's two stands is that essentially are relevant to this conversation. There's the script stands up, which is used to run either a, um,
01:02
a batch or a bash or a Python script.
01:07
And then there's also the power show,
01:11
uh, stanza, which is used to run power shell script using Splunk power shell. So
01:19
this is a very important thing to note you need to put your scripts in one of these directories. Generally you're gonna deploy it through an app so your script should reside in this vile and then
01:34
you can use this
01:38
syntax to specify the path. So if you put a dot, this will inherently mean that it is within the current app directory. So whatever app this input is in, check that APP directory
01:55
been and then the name of the script. So this is the way you should always do it
02:01
created an app,
02:04
put your script in your app name been
02:07
and then reference the script name using this syntax. That is how you should always do this
02:15
speaking just reiterating that So that's the most important things from here. Then you said interval. So this basically tell Splunk how often to run the script if you use, uh, negative one, then it oil run once on startup and that is it.
02:30
If you specify zero, it will run continuously as soon as it stops. It already start it. And then you can also specify any number of seconds to say every this many seconds run or you could specify a Cron schedule using this syntax so
02:47
those are the important things about Interval. This is gonna be something you always set with a script input. So it's very important.
02:55
Uh, you specify what user on the script as this might matter for permissions and stuff, but I or
03:06
yeah,
03:07
this morning matter, I've never used it.
03:09
Uh, you specify which version of Python? Not super important indexes where the data will be sent. Whatever Dad has generated by your script,
03:19
you should always specify that should generally sign it. A source tied.
03:23
Those are the important things that you'll need for this input on. Let's just quick take a look at the power shell input as well.
03:32
See if it's
03:36
it doesn't look like it's
03:38
there we go. So power shell is slightly different than the General,
03:47
um, script input. So you set it to power show and then you give it an arbitrary name. Does not matter what you call this,
03:55
then you specify the script equals the specific file that you want to use. Um,
04:04
not sure it doesn't say if you can specify it the way you do with script stanza. So I would specify
04:13
absolute path using *** Home variable.
04:17
So it would be like Splunk home at sea. APS app. Name been
04:23
script new.
04:26
Then, instead of using Interval, you says schedule. This accepts basically the same settings as Interval,
04:35
and that's basically the important thing. Then you would also set index, and those are the key.
04:41
This is the key configurations to make for either a
04:44
script input or power shell input. So let's go through the process of
04:49
making one of these really quick so we'll be on our search head.
04:59
I'm gonna write.
05:00
I'm in a right
05:03
a script for I guess we'll just have it
05:10
execute
05:12
locally
05:13
so
05:16
it doesn't matter which device. I guess we put it on. But I mean a
05:21
do the search had just for he's.
05:26
So we're gonna add a new AB
05:28
my
05:30
test script,
05:31
and we'll need been on. Then we'll also need
05:35
default for input stock off.
05:39
So let's write a script really quick.
05:48
We'll call it test. Uh,
05:53
so we're on Ah Lennox box here and it has Splunk enterprise installed. So we have two options here. If your own Splunk enterprise, you always have a full insult python. So you can write a python script, uh, or if you.
06:06
I would like you can also write the script relevant to the operating system. So in this case, we could write a bash
06:15
script if we wanted. I think that I will
06:19
do that.
06:25
So we got to specify it has been a It's been a minute. So
06:30
see what looks right
06:31
in cash.
06:33
Tell you what shell to use. I'm not 100% sure on the order on that. I do probably
06:41
have some sample scripts somewhere, Possibly in here.
06:48
That's
06:50
so Yeah, I was a rate been bash. So we'll just dio
06:57
echo
07:00
hello world
07:02
And let's just run that to see that it works.
07:08
It won't work because first we need to make it execute Herbal.
07:15
Also, I did not mean to put period there, So let's Teoh.
07:19
Actually, I could have done it. I can do this Splunk because I own that whole directory. So let's dio ch mod plus x Teoh Splunk.
07:32
That's see ABS. My test
07:36
script's been
07:40
test on stage and then we can
07:45
brought it so it'll print hello world. So networks. So now let's write our input.
07:54
I see
07:56
my test sprint.
07:59
Oh, my abs, My test script
08:01
Deport
08:03
we'll need to put stock cough
08:05
so we'll do script.
08:09
And like we said, we're gonna specify in this app
08:13
been
08:15
test on this age.
08:16
Then we'll say in next People's main source type equals test script
08:24
and we'll specify our interval.
08:26
And we will say, Let's run this every
08:31
two seconds every 10 seconds. That's more recently
08:35
So we will write, Quit and then we will restart Splunk so that this input gets loaded and then we'll go over to
08:48
our search head Web Consul and watch some of these events come in.
08:54
So just a little bit of waiting. And then once we do this, all go over a more complicated script. This was really just to demonstrate. You know what configurations you need to make you need to actually have the script. You need to make sure that has proper permissions to be executed, and then you need an input stock off so that it gets called
09:16
actually the run.
09:22
So with the index, it was made source type equals test script,
09:28
and you can see if I said this to like a one minute real time search. You'll see this continuously get
09:37
re executed
09:37
and keep popping up in here every 10 seconds.
09:48
There's another one. So that works. That's cool. Let's let let me show you. Also,
09:54
um,
09:56
the internal logs you can use for troubleshooting this if you run into any problems, I think the component healed us. What we care about and it should be should contain exact
10:09
processor.
10:18
That right?
10:22
Yeah. So yeah, exact processors. So that's actually the full name.
10:26
And you can see if you wanted to add some more so that basically this says Hannu execute Herbal was scheduled to be run and then you can see here This is our our actual test strip. So
10:41
if there were errors, you would be able to see that as well. A common one is if you don't
10:48
specify the path correctly and split, can't find the file, then that could be an issue. And you would see an air log message. Or with that, another one would be if it was supposed to be run by, like, power shell or something. And like the box didn't have permission to run it. You would see an era log.
11:07
There is probably a couple others, but this is where you go to troubleshoot this.
11:09
So just so that you're aware
11:11
eso that basically covers that. So now I just want to show you like a sample script that I had set up for customer, um,
11:22
to see kind of how how powerful this option could be. Obviously
11:28
you essentially have remote, arbitrary code execution. So you do whatever you want within reason. I mean, there might be controls on the actual device. So,
11:39
for example, this is a script I had written because they had a bunch of devices that were being renamed and Splunk when you first started. Generates a local inputs dot com with the hosting value equal to whatever the host name value was at the time of boot.
11:56
And they had these devices that were being migrated and renamed.
12:01
And so now they were still reporting with the old host name value. Uh, so the logs were not being attributed to the proper host.
12:09
So I wrote a script that Mrs Power Shell that just grabbed whatever the computer hosts name Waas and then compared
12:20
Well, then it check to see if
12:24
this file existed.
12:26
And if it did, then it would basically
12:31
extract whatever the host equals value us. That's what this reject says and accounts for. Maybe if you had,
12:39
um, spaces around your equal sign or not,
12:43
and then
12:43
sets the variable to whatever this match was, and then it does a comparison to see if these are the same. And if they're not, then it rewrites. The file spits out a message saying it was rewritten if it didn't exist. That creates a new one and sets the value properly.
13:01
And if they already matched it says it doesn't do anything and exits.
13:05
Um,
13:07
if there was a change that need to be done, it removes the app
13:11
that the file came in and
13:16
because this app is configured to restart Splunk
13:20
when it's downloaded. Basically, this was just like my clever way to get a restart so that this setting this new inputs dot com setting would
13:31
be applied. So basically, at the end of the script, if a change was made, the APP gets deleted. The app then gets sent again. Script gets running in,
13:43
and this time since the script corrected last time, he does not delete itself, and then it just runs on its normal schedule. So this is like one example of a cool thing you could do with a scripted input really just depends on a use case by case basis, what comes up
14:01
and then how creative and how
14:03
Compton your at scripting. So that's basically everything you need to know about.
14:09
Ah,
14:09
how do you scripted inputs? Just keep in mind that if you're using Splunk power, Shell used the power shell stanza. If you're using python or bash or batch, then you can use the script stands up and remember that there's some subtle differences between how you use that. So be sure to reference the documentation if you're foggy on that.
14:30
But this should be enough to get you started and hopefully setting up your own scripted inputs and Splunk
14:35
so thank you, and I'll see you in the next video.

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor