Protip: Add inputs on a forwarder using a CLI search… like a ninja.

You deploy a Splunk forwarder, disable the web interface, and now you want to add inputs. What do you do? You could SSH to the box, do it through the CLI locally… you stop… think about it.. and you think to yourself, “No way, that’s how a pirate rolls.”

You’re a ninja. You use Splunk. You’re going to use a search to add an input to the remote Splunk server (the forwarder) in the same fashion that you throw ninja stars to lay the smack down from a distance everyday.

1. Go to the CLI (command line interface) of any server that has Splunk on it (ie. the indexer).

2. Execute a Splunk CLI search using the crawl command, the input command, and send that command to the Splunk server you want to run it on by using the -uri option:

./splunk search “| crawl root=/myawesomelogdir | input add” -uri [http|https]://<servername>:<port>

The Splunk CLI will return the sources that were added by the crawling/inputting that is done inside the search.

3. Check to see if the inputs were added to the remote server by using -uri again.

./splunk list tail -uri [http|https]://<servername>:<port>

(Works in 3.1.x +)

Tags: , , , , , , , ,

By Jason Rosensteel

Posted by