Getting Data In

Can I use CLI to configure inputs.conf blacklist

tdrisdelle
Engager

Is there any way to use the CLI to configure the blacklist (in inputs.conf) file?

The docs seem to indicate no... but I'm hopeful that I've missed something.

./splunk help edit
required parameters:

(For edit monitor)
    source                      path to a file or directory whose contents should be indexed by the Splunk server, and then watched for new input. The Splunk server unpacks tarfiles and compressed files.

optional parameters:

(For edit monitor)
        sourcetype                  source type value to set for events from the source

        index                       a local Splunk index to place events from the source

        hostname                    host name to set as the host value

        hostregex                   regular expression of file path to set as the host value

        hostsegmentnum              number of segments in the file path to set as the host value

        follow-only                 only read from the end of the file (True|False, default=False)
1 Solution

bmacias84
Champion

@tdrisdelle, No you are not missing anything. Currently the CLI does not offer the ability to edit advanced stanza settings. Just like the GUI, the CLI allows basic add and modify abilities. For more advanced stanaza and settings changes direct conf file edits are required. This is when building TAs and using something like the Deployment Server makes configuration much easier.

View solution in original post

0 Karma

bmacias84
Champion

@tdrisdelle, No you are not missing anything. Currently the CLI does not offer the ability to edit advanced stanza settings. Just like the GUI, the CLI allows basic add and modify abilities. For more advanced stanaza and settings changes direct conf file edits are required. This is when building TAs and using something like the Deployment Server makes configuration much easier.

0 Karma

bondu
Explorer

What is the Operating System you have splunk installed on?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...