The app contains a series of scripts that will:

  1. Perform a S.M.A.R.T. self-test: this is recommended monthly
  2. Obtain S.M.A.R.T. data: this is recommended hourly

Several versions of the scripts are included:

Script Purpose Environment Notes
smartmon_results.cmd Obtain S.M.A.R.T. data and tests results Windows Enabled by default
smartmon_results.ps1 Obtain S.M.A.R.T. data and tests results Windows (Powershell version) Obtain S.M.A.R.T. data and tests results *nix
smartmon_short_test.cmd Performs a short self-test Windows Enabled by default
smartmon_short_test.ps1 Performs a short self-test Windows (Powershell version) Performs a short self-test *nix

smartctl binaries for Windows are included by default in order to make installation easier. For this reason, the CMD scripts are enabled by default.


This app doesn't require Python and can be installed on a Universal Forwarder as well as a heavy forwarder. The input for performing hourly data gathering and monthly tests should work by default. No further changes should be necessary other than installing the app on a forwarder.

The app publishes views that will appear when the app is installed on a Search Head. It is recommended that you install the app on the Search Heads in order to monitor the Search Head disks and to use the analysis views.


Install smartctl

The binaries are not included for non-Windows platforms. You will need to first install smartctl for your platform. See for more details. Note that native packages may be available for your platform. For example, apt-get can be used to install smartmontools on Ubuntu (e.g. "sudo apt-get install smartmontools"). Make sure smartctl is in the path so that Splunk can run it. smartctl will also need root access. Thus, make sure it runs with the proper permissions.

Enable collection scripts

The collection scripts are not enabled by default since the smartctl binaries are not included with by default for non-Windows platforms. You will need to edit the inputs in order enable them. This can be done in the Splunk Manager by enabling the "" and/or "" script accordingly. You can also deploy a local version of inputs.conf to enable them:

disabled = 0

disabled = 0