How to use the Splunk oneshot command

By   01-18-2015 · 1 minute read · 169 words

Today I had to index an entire directory full of IIS logs into Splunk, I didn’t want to create a input on the forwarder so had to look for another solution. Fortunately Splunk has a command called “oneshot” that will do just that. The command is a oneoff method to send all your logs off to your indexer.

I couldn’t figure out how to run it against a directory full of logs, so I had to create a for loop and wrap the command in it.

for i in ls -1; \
do /opt/splunkforwarder/bin/splunk add oneshot \$i -index iis -sourcetype "iis"; \
done

Here we are doing a for loop in a directory full of logs and then sending them off using the oneshot command to the index “iis” with the sourcetype of “iis”. If you were running against a single file eliminate the for loop.

You’ll have to specify the admin password, I was on a forwarder so I just used “admin” and “changeme” which are the defaults.

splunk