-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsplunk-data-load.sh
50 lines (41 loc) · 1.45 KB
/
splunk-data-load.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/bin/bash
# This script is meant to streamline the process of getting files into Splunk.
# The goal is to:
# 1. Delete all events in the specified INDEX
# 2. Reload the input, fields, transforms, and props configs
# 3. oneshot load all of the files in specified directory using the defined sourcetype and INDEX
# 4. Count the number of events and show the field summary
#SPLUNK_HOST=localhost:8089
SPLUNK_HOST=localhost:8091
SPLUNK_USERNAME=admin
SPLUNK_PASS=changeme
INDEX=fio-test
SOURCETYPE=_json
DIRECTORY=~tmuth/Temp/fio-test
function splunk_search {
curl -k -u ${SPLUNK_USERNAME}:${SPLUNK_PASS} \
https://${SPLUNK_HOST}/services/search/jobs/ \
-d search="${1}" \
-d exec_mode=oneshot -d count=100 -d output_mode=csv
}
function config_reload {
local CONFIG="${1}"
curl -k -u ${SPLUNK_USERNAME}:${SPLUNK_PASS} \
-X POST https://${SPLUNK_HOST}/services/configs/${CONFIG}/_reload
}
splunk_search "search index=${INDEX} | delete"
# cant delete metrics, so:
# splunk clean eventdata -index ${INDEX}
config_reload "conf-inputs"
config_reload "conf-fields"
config_reload "conf-transforms"
config_reload "conf-props"
for i in `ls -1 ${DIRECTORY}`
do
echo $i
splunk add oneshot ${DIRECTORY}/$i -index ${INDEX} -sourcetype ${SOURCETYPE};
done
echo "Waiting a few seconds so some of the files will be indexed..."
sleep 3
splunk_search "search index=${INDEX} | stats count"
splunk_search "search index=${INDEX} | fieldsummary | fields field,count"