input
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
input
Synopsis
Adds or disables sources from being processed by Splunk.
Syntax
input (add|remove) [sourcetype=string] [index=string] [string=string]*
Arguments
- sourcetype
- Datatype: <string>
- Description: Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings
- index
- Datatype: <string>
- Description: Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings
Description
Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings. Any additional attribute=values are set added to inputs.conf. Changes are logs to $splunk_home/var/log/splunk/inputs.log. Generally to be used in conjunction with the crawl command.
Examples
Example 1: Remove all csv files that are currently being processed
| crawl | search source=*csv | input remove
Example 2: Add all sources found in bob's home directory to the 'preview' index with sourcetype=text, setting custom user fields 'owner' and 'name'
| crawl root=/home/bob/txt | input add index=preview sourcetype=text owner=bob name="my nightly crawl"Example 3: Add each source found by crawl in the default index with automatic source classification (sourcetyping)
| crawl | input add