Some changes to make it work directly from scripted input.

jmaas · Sep 22, 2020 · ae8c354 · ae8c354
1 parent 6e56c5b
commit ae8c354
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -1 +1 @@
-# splunk-ta-journald
+# Splunk-TA-journald
diff --git a/bin/get-journald-logs.sh b/bin/get-journald-logs.sh
@@ -4,35 +4,33 @@
 # Requires the 'jq' package to be installed.
 #
 
-#LOG_DATE=$(date +"%Y-%m-%d")
-#LOG_NAME="journald-${LOG_DATE}.log"
-#LOG_DIR="/var/log/splunk-journald"
-#LOG_FILE="${LOG_DIR}/${LOG_NAME}"
+CUR_DIR=$(dirname $0)
+STATE_DIR="${CUR_DIR}/../state"
+STATE_FILE="${STATE_DIR}/journald.state"
+STATE_LOGFILE="${STATE_DIR}/journald.log"
 
-STATE_NAME="journald.state"
-STATE_DIR="state"
-STATE_FILE="${STATE_DIR}/${STATE_NAME}"
 
-#if ! [ -d ${LOG_DIR} ]; then
-#	mkdir -p ${LOG_DIR}
-#fi
+update_state () {
+	if [ -s ${STATE_LOGFILE} ]; then
+		# only update state if we have a new one
+		STATE=$(tail -n1 ${STATE_LOGFILE} | jq -j '.__CURSOR')
+		echo -n ${STATE} > ${STATE_FILE}
+	fi
+}
 
-#if ! [ -d ${STATE_DIR} ]; then
-#	mkdir -p ${STATE_DIR}
-#fi
 
-if [ -f ${STATE_FILE} ]; then
+if [ -s ${STATE_FILE} ]; then
 	# get state and logs
 	CURSOR=$(cat ${STATE_FILE})
-     	/usr/bin/journalctl --after-cursor="${CURSOR}" --no-tail --no-pager -o json # >> ${LOG_FILE}
-else
-	# no state; get all logs as of today
-	/usr/bin/journalctl --no-tail --since today --no-pager -o json # >> ${LOG_FILE}
+	/usr/bin/journalctl --after-cursor="${CURSOR}" --no-tail --no-pager -o json | /usr/bin/tee ${STATE_LOGFILE}
+	update_state
 fi
 
-# update state
-STATE=$(tail -n1 ${LOG_FILE} | jq -r '.__CURSOR')
-echo ${STATE} > ${STATE_FILE}
 
-# EOF
+if ! [ -f ${STATE_FILE} ]; then
+	# no state (first run?); get logs of today
+	/usr/bin/journalctl --no-tail --since today --no-pager -o json | /usr/bin/tee ${STATE_LOGFILE}
+	update_state
+fi
 
+# EOF
diff --git a/default/inputs.conf b/default/inputs.conf
@@ -1,5 +1,5 @@
 #
-#
+# Scripted input for on-boarding journald logs into Splunk
 # 
 
 [script://./bin/get-journald-logs.sh]

diff --git a/default/props.conf b/default/props.conf
@@ -1,9 +1,14 @@
+#
+# Setup linux:journald sourcetype as JSON input
+#
+
 [linux:journald]
 KV_MODE = json
-#MAX_TIMESTAMP_LOOKAHEAD = 10
 NO_BINARY_CHECK = 1
 SHOULD_LINEMERGE = false
 TIME_FORMAT = %s
 TIME_PREFIX = \"__REALTIME_TIMESTAMP\" : \"
 pulldown_type = 1
 TZ=UTC
+
+# EOF
diff --git a/state/README b/state/README
@@ -1 +1,2 @@
-This directory holds the state file.
+This directory holds the journald state as well as the last log file.
+If you ever need to reset this input just delete the journald.* files.