Automating File Transfer: Using Bash Scripts to Place Reports on Remote Servers
While working with Splunk, I’ve come across unique requests that are specific to an organization. In some cases, Splunk customers within an organization do not have Splunk access to run their own saved searches and reports. This requires the Splunk team to create the saved search, generate the report, and send the report to the Splunk customer. Splunk can send a report by email after the search is ran, but this option is not practical if a search runs multiple times a day. A better option would be to place the report on a server, accessible to the customer, every time the saved search is ran. The following, explains how to securely automate this process.
1. Generate auth-key
A. Generate an auth-key for the Splunk account responsible for running the saved search and transferring the report from the local server (splunk server) to the remote server (customer server). On the local server, generate a public/private key pair using the following command:
ssh-keygen –t rsa
B. Copy the public key to the remote server. On the local server, use the following command to copy the public key to the remote server:
C. Change permissions of the public/private key pair
- On the local server, change permissions to 755 to the following folders:
- On the local server, change permissions to 600 to the following file:
· /home/<splunk_accont >/.ssh/id_rsa
- On the remote server, change permissions to 755 to the following file:
2. Create Splunk app
A. Create a custom app for this report in $SPLUNK_HOME/etc/apps/. This app will contain the saved search which will generate the report and the bash script responsible for transferring the report between servers.
B. Create a /bin folder within the app.
C. Create a /local folder within the app.
3. Create bash script
A. The following bash script will feed the auth-key to allow secure file transfer (scp) and permission changed (chmod). Place this script in the /bin folder of the custom app created in step 2.
scp -i /home/<splunk_account>/.ssh/id_rsa /<report_name>.csv <splunk_account>@<remote_server_ip>://<remote server file path>/<report_name>.csv
ssh -i /home/<splunk_account>/.ssh/id_rsa /<splunk_account>@<remote_server_ip> chmod 644 /<remote server file path>/<report_name>.csv
4. Create the saved search
A. Create the saved search responsible for generating the report through the GUI. This will allow us to launch scripts after the search is complete.
B. The saved search should contain the outputcsv command. This will ensure the report is outputted to the $SPLUNK_HOME/etc/var/run/splunk/ file path.
… <search> … | outputcsv <report_name>.csv
C. After creating the search, Click Save As > Report
D. Add "Title" and click Save > Schedule
E. Check mark "Schedule Report" and provide "Schedule" criteria.
F. Check "Run a Script" and provide "Filename" of script (ensure script is located in $SPLUNK_HOME/bin/scripts/ file path).
G. Click Save.
H. The saved search should also be owned by he custom app that was created in the previous step.
5. Test automation
A. Manually run the saved search. If the report is placed on the remote server, the automation has worked!