| options { | |
| create-dirs(yes); | |
| owner("splunk"); | |
| group("splunk"); | |
| dir-owner("splunk"); | |
| dir-group("splunk"); | |
| dir-perm(0755); | |
| perm(0644); |
| Function Start-Splunk { | |
| try { | |
| Get-Service splunk* | Start-Service -ErrorAction Stop | |
| } | |
| catch [Microsoft.PowerShell.Commands.ServiceCommandException] { | |
| Write-Verbose "Command must be run in an elevated session, invoking new session." | |
| Start-Process -Verb Runas -FilePath powershell.exe { Get-Service splunk* | Start-Service -Verbose -ErrorAction Stop; Start-Sleep 5 } | |
| } | |
| } |
| # TODO: write the help | |
| # TODO: support SSL self-signed certs | |
| # TODO: need to validate JSON, and/or add a new param set that accepts hashtable and | |
| # convert internally. | |
| # TODO: support RAW mode | |
| # TODO: refactor to use EC batch (concatenated events in one HTTP request) instead of | |
| # PowerShell pipelines which will do a request per object (event payload) on the pipeline | |
| # TODO: think about load balancing per Geoffrey Martins. | |
Sometimes, you need to fake something in Splunk. Might be during development and you don't feel like writing a real search, but you really need a number for a dashboard panel to look right. Maybe you are helping someone with a hairy regex, and you don't want to index data just to test it on your instance. Whatever the reason, here are some searches that have helped me out.
Note that when using these techniques, you are not going through the indexing
| #!/bin/bash | |
| for index in $($SPLUNK_HOME/bin/splunk cmd btool indexes list | grep \\[ | grep -v volume | sed s/\\[//g | sed s/\\]//g | grep -v default ) | |
| do | |
| case "$index" in | |
| main) | |
| echo | |
| echo [main] | |
| echo homePath = volume:primary/defaultdb/db | |
| echo coldPath = volume:primary/defaultdb/colddb |