Getting Data In

Can I use CLI to configure inputs.conf blacklist

tdrisdelle
Engager

Is there any way to use the CLI to configure the blacklist (in inputs.conf) file?

The docs seem to indicate no... but I'm hopeful that I've missed something.

./splunk help edit
required parameters:

(For edit monitor)
    source                      path to a file or directory whose contents should be indexed by the Splunk server, and then watched for new input. The Splunk server unpacks tarfiles and compressed files.

optional parameters:

(For edit monitor)
        sourcetype                  source type value to set for events from the source

        index                       a local Splunk index to place events from the source

        hostname                    host name to set as the host value

        hostregex                   regular expression of file path to set as the host value

        hostsegmentnum              number of segments in the file path to set as the host value

        follow-only                 only read from the end of the file (True|False, default=False)
1 Solution

bmacias84
Champion

@tdrisdelle, No you are not missing anything. Currently the CLI does not offer the ability to edit advanced stanza settings. Just like the GUI, the CLI allows basic add and modify abilities. For more advanced stanaza and settings changes direct conf file edits are required. This is when building TAs and using something like the Deployment Server makes configuration much easier.

View solution in original post

0 Karma

bmacias84
Champion

@tdrisdelle, No you are not missing anything. Currently the CLI does not offer the ability to edit advanced stanza settings. Just like the GUI, the CLI allows basic add and modify abilities. For more advanced stanaza and settings changes direct conf file edits are required. This is when building TAs and using something like the Deployment Server makes configuration much easier.

0 Karma

bondu
Explorer

What is the Operating System you have splunk installed on?

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...