product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to include files using the add oneshot command
- release date
- 2019-08-29
- last updated
- 2024-02-28
- version
- Splunk Enterprise 9.1.2
- Overview
- You can use Splunk's add oneshot command to include specified files in the index.
Please use it to re-import files that could not be imported due to failures or incorrect settings, or to import sample logs for verification.
- Reference information
-
- Monitor files and directories using the CLI
- content
-
What is add oneshot
add oneshot is a Splunk command run from the CLI that is used to include the specified file into the index.
Importing a file with this command is done only once during execution.
Specifically, it can be used in the following situations.
- Reimport files that were not successfully imported due to improper settings, etc.
- Recapture data from files deleted with the delete command
- Import test file experimentally
It also behaves differently depending on which instance of Splunk you run the add oneshot command.
- Indexer: Captured by the indexer that executed the command.
- Universal Forwarder: Ingested into the forwarding indexer.
add oneshot syntax
Below is the syntax of the add oneshot command.
<syntax>
$SPLUNK_HOME/bin/splunk add oneshot <取り込みファイルパス> [-オプション 値]* $SPLUNK_HOME is the installation directory. By default:
Windows :
Splunk Enterprise : C:\Program Files\Splunk
Universal Forwarder : C:\Program Files\SplunkUniversalForwarderLinux :
Splunk Enterprise : /opt/splunk
Universal Forwarder : /opt/splunkforwarderBelow is an example of the command to add the import file path, index, source type, and options for authentication.
<Command execution example>
/opt/splunk/bin/splunk add oneshot /var/log/secure
-index security -sourcetype linux_secure -auth admin:password* When actually executing, please enter in one line including option specification.
<Capture conditions>
Splunk installation directory: /opt/splunk
Capture file path: /var/log/secure
Destination index: security
Ingest Log Source Type: linux_secure
Admin User: admin
administrator password: password<execution example>
/opt/splunk/bin/splunk add oneshot /var/log/secure -index security
-sourcetype linux_secure -auth admin:password* When actually executing, please enter in one line including option specification.
For details on each option, see "Command Options" below.
Notes
- Options other than the import file path are optional, but be sure to specify them to prevent importing with an unintended index or source type.
- For the import file path, specify the file to be imported with the full path.
- When importing multiple files, you cannot use wildcards such as "*", so please specify the full path of each file one by one.
command option
- -sourcetype <log source type>
- Used to specify the source type when importing. If not specified, the auto-detected source type is set during import.
- -index <import destination index>
- Used to specify the destination index. If not specified, it will be included in the main index.
- -hostname <host name> or -host <host name>
- Used to specify the host name when importing. If not specified, the hostname of the server will be set.
*The following files obtain the host name from the information in the log, so options cannot be specified.
- *.evtx files
- Syslog file (if -sourcetype syslog is specified)
- -hostregex <regular expression> or -host_regex <regular expression>
- Specify when extracting part of the full path of the file as a host name. The portion of the regular expression that matches between the first brackets () will be the host name. If the regular expression does not match the file path, it will be set to the server hostname.
- -hostsegmentnum <Number of path hierarchies> or -host_segment <Number of path hierarchies>
- Specify when extracting the directory name or file name included in the full path of the file as the host name.
For example, if you specify the option as follows, "splunk-server", which is the directory name in the third hierarchy from the top, will be set as the host name.
- Specify when extracting the directory name or file name included in the full path of the file as the host name.
<Example on Linux>
$SPLUNK_HOME/bin/splunk add oneshot
/var/log/splunk-server/messages.log -hostsegmentnum 3<Example on Windows>
$SPLUNK_HOME\bin\splunk add oneshot
C:\var\log\splunk-server\messages.log -hostsegmentnum 3*For Windows, specify the number of layers excluding the drive specification.
- -rename-source
- Specifies the value of the source when ingested. If not specified, the full path of the file will be set.
- -auth <username>:<password>
- Specify the user name and password to be used for user authentication when importing. If not specified, you will be prompted for a user and password on the console. Authenticate with the Splunk admin user.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
