Public Repository

Last pushed: a year ago
Short Description
Centos splunk forwarder running simple df output into splunk instance
Full Description

This image has been created to feed a test splunk instance with disk statistics. The image is configured to send to the test splunk instance and would obviously not run as-is for another user but I have supplied all the details needed below.

Unfortunately pasting the scripts and files here adds some stupid formatting.

#! is used here as a comment (otherwise it's shown as a heading).

backticks are also not recognised. Hopefully this will be obvious from the code.

Dockerfile :

FROM centos:latest
RUN yum -y install net-tools.x86_64
RUN yum -y install openssh.x86_64
RUN yum -y install openssh-clients.x86_64
RUN yum -y install openssh-server.x86_64
RUN yum -y install perl.x86_64
COPY splunkforwarder-6.5.0-59c8927def0f-linux-2.6-x86_64.rpm /tmp
RUN rpm -i /tmp/splunkforwarder-6.5.0-59c8927def0f-linux-2.6-x86_64.rpm
RUN /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
COPY df_splunk_feed.pl /opt/splunkforwarder/etc/system/bin
RUN /opt/splunkforwarder/bin/splunk add forward-server 192.168.160.168:9997
COPY inputs.conf.template /tmp
COPY splunk_start.pl /opt/splunkforwarder/etc/system/bin
CMD [ "/opt/splunkforwarder/etc/system/bin/splunk_start.pl" ]

  • change forward-server to your server (obviously!)

splunk_start.pl :

#!/usr/bin/perl

#! Very simple script to check splunkd process and keep container up (used in CMD)

#! If splunkd stops, stop container

my $container_hostname=hostname;
chomp $container_hostname;
my @current_inputs=cat /opt/splunkforwarder/etc/system/local/inputs.conf;
my @inputs_template=cat /tmp/inputs.conf.template;

#! Let's change the hostname in the template file

open(INPUTS_TEMPLATE,">/tmp/inputs.conf.temp");
foreach (@inputstemplate) {
if ($
=~ /host = CHANGE_ME/) {
print INPUTS_TEMPLATE "host = ${container_hostname}\n";
} else {
print INPUTSTEMPLATE $;
}
}
close INPUTS_TEMPLATE;

my @diff_array=diff /tmp/inputs.conf.temp /opt/splunkforwarder/etc/system/local/inputs.conf;

#!print @diff_array;

if (@diff_array) {
print "Differences found between template and host's inputs.conf, need to copy in new inputs.conf\n";
/opt/splunkforwarder/bin/splunk status;
/opt/splunkforwarder/bin/splunk stop;
mv /opt/splunkforwarder/etc/system/local/inputs.conf /opt/splunkforwarder/etc/system/local/inputs.conf.orig;
cp /tmp/inputs.conf.temp /opt/splunkforwarder/etc/system/local/inputs.conf;
/opt/splunkforwarder/bin/splunk start;
print "New inputs.conf created, splunkd started leeping for 100 and now looping\n";
sleep 100;
&run_check_loop;
} else {
print "inputs.conf file matches template, continuing\n";
my @splunk_status=/opt/splunkforwarder/bin/splunk status;

if (grep /splunkd is running/,@splunk_status) {
    print "splunkd running, looping\n";
    &run_check_loop;
} else {
    `/opt/splunkforwarder/bin/splunk status`;
    `/opt/splunkforwarder/bin/splunk start`;
    print "splunkd wasn't running, restarted, sleep 100, now looping\n";
    sleep 100;
    &run_check_loop;
}    

}

sub run_check_loop {

while (1) {
    @splunk_status=`/opt/splunkforwarder/bin/splunk status`;
    if (grep /splunkd is running/,@splunk_status) {
        print "In check loop, splunkd running, looping\n";
        sleep 300;
    } else {
        print "In check loop, splunkd not running, logging and closing container, if you need to attach to troubleshoot, commit to a new image!\n";
        @splunkd_log=`tail -100 /opt/splunkforwarder/var/log/splunk/splunkd.log`;
        print @splunkd_log;
        exit 0;
    }
}

}

inputs.conf.template :

[default]
host = CHANGE_ME
[script:///opt/splunkforwarder/etc/system/bin/df_splunk_feed.pl]
interval = 300
sourcetype=custom_script

df_splunk_feed.pl :

#!/usr/bin/perl

my $date = date;
chomp $date;

my @df_output=df -k;

foreach my $df_line (@df_output) {
if ($df_line =~ /Used/) {
next;
}
(my $k_blocks, my $used, my $avail, my $pct_use, my $mount) = ($df_line =~ /\w\s+(\w+)\s+(\w+)\s+(\w+)\s+(\w+)%\s+(.*)/);
print "$date - 1k Blocks:$k_blocks - Blocks Used:$used - Available:$avail - PctUsed:$pct_use - Mount:$mount\n";
}

Docker Pull Command
Owner
bantex01