This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
In addition to using Splunk Web or editing inputs.conf, you can also configure data inputs at Splunk's Command Line Interface (CLI).
To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the ./splunk command. You can also add Splunk to your path and use the splunk command.
Note: If you get stuck, Splunk's CLI has built-in help. Access the main CLI help page by typing splunk help. Individual commands, objects, and parameters have their own help pages as well -- type splunk help [command | object | parameter name].
Use Splunk CLI data commands to perform actions on data sources. Commands and data sources take various parameters depending on the combination you use. There are five different commands to configure data inputs in the CLI:
| Command | Command syntax | Action | |
| add | add [tail|watch|fifo|tcp|udp] source [-parameter value] ... | Add a specified data input to Splunk. | |
| edit | edit [tail|watch|fifo|tcp|udp] source [-parameter value] ... | Edit a data input was previously added. | |
| remove | remove [tail|watch|fifo|tcp|udp] source | Remove a previously added data input. | |
| list | list [tail|watch|fifo|tcp|udp] | List the currently configured data inputs of a specified type. | |
| spool | spool source | Copy a file into Splunk via the sinkhole directory. |
Specify a data input type to use with a data input command.
| Data input type | Definition | |
| tail | Continuously monitor a file or directory for new input. | |
| watch | Monitor an archive directory for new files. | |
| fifo | A FIFO or named pipe to index from. | |
| tcp | A TCP socket (network input) to monitor. | |
| udp | A UDP socket (network input) to monitor. |
Change the configuration of each data input type by defining the parameters below. Optional parameters have the syntax: -parameter value. Use only one -hostname, -hostregex or -hostsegmentnum per command.
Required parameters
| source | Path to the file or directory to monitor for new input. |
Optional parameters
| sourcetype | Specify a sourcetype field value for events from the input source. | |
| index | Specify the destination index for events from the input source. | |
| hostname | Specify a host name to set as the host field value for events from the input source. | |
| hostregex | Specify a regular expression on the source file path to set as the host field value for events from the input source. | |
| hostsegmentnum | Set the number of segments of the source file path to set as the host field value for events from the input source. | |
| active-only | (T | F) True or False. Set true to tell Splunk to only keep indexing files that have write-permissions enabled. | |
| follow-only | (T | F) True or False. Default False. When set to True, Splunk will read from the end of the source (like the "tail -f" Unix command). |
Tail only writable files in /var/log/.
/var/log/ as a data input.
./splunk add tail /var/log/
./splunk edit tail /var/log -active-only true
Required parameters
| source | Path to a directory to watch for new input. |
Optional parameters
| method | Set the method to bring files into Splunk (symlink or copy). Default is symlink. | |
| sourcetype | Specify a sourcetype field value for events from the input source. | |
| index | Specify the destination index for events from the input source. | |
| hostname | Specify a host name to set as the host field value for events from the input source. | |
| hostregex | Specify a regular expression on the source file path to set as the host field value for events from the input source. | |
| hostsegmentnum | Set the number of segments of the source file path to set as the host field value for events from the input source. |
Watch a directory and set host and sourcetype field values for each event that's indexed.
/mnt/archive and set the host field value for events from the source to be the third segment of the file name.
./splunk add watch /mnt/archive -hostsegmentnum 3
./splunk edit watch /mnt/archive -sourcetype myApp
Required parameters
| source | Path to a FIFO or named pipe to index. |
Optional parameters
| sourcetype | Specify a sourcetype field value for events from the input source. |
| index | Specify the destination index for events from the input source. |
| hostname | Specify a host name to set as the host field value for events from the input source. |
| hostregex | Specify a regular expression on the source file path to set as the host field value for events from the input source. |
| hostsegmentnum | Set the number of segments of the source file path to set as the host field value for events from the input source. |
Configure a FIFO input and set the host and sourcetype field values for each event that's indexed.
/var/run/syslogfifo and set the sourcetype field for each event from the source to equal "linux_messages_syslog".
./splunk add fifo /var/run/syslogfifo -sourcetype linux_messages_syslog
./splunk edit fifo /var/run/syslogfifo -hostname web01
Required parameters
| source | Port number to listen for data to index. |
Optional parameters
| sourcetype | Specify a sourcetype field value for events from the input source. |
| index | Specify the destination index for events from the input source. |
| hostname | Specify a host name to set as the host field value for events from the input source. |
| remotehost | Specify an IP address to exclusively accept data from. |
| resolvehost | Set True of False (T | F). Default is False. Set True to use DNS to set the host field value for events from the input source. |
Configure a network input and set the sourcetype field value for each event that's indexed.
./splunk add udp 514 -sourcetype syslog
auth parameter to authenticate in line.
./splunk edit udp 514 -resolvehost true -auth gwb:d3c1dr