Add a network input using the CLI

SplunkExplorer — Tue, 09 Jan 2024 09:36:42 GMT

Hi Splunkers, I'm performing some test on my test environment and I'm curious about observed behavior.

I want to add some network inputs, so tcp and udp ones, to my env.
I found easily on doc how to achieve this: Monitornetworkports and it works fine, with no issues. Inputs are correctly added to my Splunk. I can confirm this with no problem on both web GUI and from CLI using btool.

My wonder is: if I use the command in the above link, inputs are added on inputs.conf located in SPLUNK_HOME\etc\apps\search\local. For example, if I use:

splunk add tcp 3514 -index network -soucetype checkpoint

And then, I digit

splunk btool inputs list --debug | findstr 3514

The output is:

C:\Program Files\Splunk\etc\apps\search\local\inputs.conf [tcp://3514]

And, checking manually the file, confs related to my add command are exactly on it.
So, I assume that search is the default app if no additional parameter are provided.
Now, I know well that if I want edit another inputs.conf file, I can simply manually edit it.
But what about if I want edit another inputs.conf from CLI?
In other words: I want to know if I can use the splunk add command and specify which inputs.conf file modify. Is it possible?

Re: Add a network input using the CLI

inventsekar — Tue, 09 Jan 2024 09:52:58 GMT

Hi @SplunkExplorer

You are right. Looks like the CLI got no app context parameters.

the doc link - https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Add_a_network_input_using_the_CLI

Command Command syntax Action

add	add tcp\|udp <port> [-parameter value] ...	Add inputs from <port>.
edit	edit tcp\|udp <port> [-parameter value] ...	Edit a previously added input for <port>.
remove	remove tcp\|udp <port>	Remove a previously added data input.
list	list tcp\|udp [<port>]	List the currently configured monitor.

The <port> is the port number on which to listen for data. The user you run the Splunk platform as must have access to this port.

You can modify the configuration of each input by setting any of these optional parameters:

Parameter Description

sourcetype	Provide a sourcetype field value for events from the input source.
index	Provide the destination index for events from the input source.
hostname	Provide a host name to set as the host field value for events from the input source.
remotehost	Provide an IP address to exclusively accept data from.
resolvehost	Set to true or false (T \| F). Default is false. Set to true to use DNS to set the host field value for events from the input source.
restrictToHost	Provide a host name or IP address to accept connections only from the specified host or IP address.

there is no options to specify the app's context. the CLI and web gui update methods got their limitations.

the config file editing is the ultimate method which got all of its features and syntax.

Best Regards,

Sekar

topic Re: Add a network input using the CLI in Splunk Enterprise

Add a network input using the CLI

Re: Add a network input using the CLI