Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to monitor changes made to the inputs.conf fil...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We update the inputs.conf file periodically. I want to keep track of changes made in the inputs.conf file.
Any suggestion, how we can upload the file to Splunk whenever changes are made in inputs.conf?
Regards,
Ankit
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can dig into Splunk configs to monitor for input.conf changes. Keep in mind, that inputs.conf can change in any Splunk subdirectory, so don't focus on one single inputs.conf file - towit, search Splunk_Home for inputs.conf and you will get many file hits. Changes to any inputs.conf file will likely give you new inputs.
If you only monitor the main Splunk instance, then you might miss changes to forwarder inputs.conf files (a bit rusty on forwarding).
To monitor all changes to all inputs.conf files on your local Splunk system such that every change will have a new _time (time stamp) you can add the following text to your inputs.conf and props.conf files:
In an inputs.conf file:
[monitor://$SPLUNK_HOME\etc\...\inputs.conf]
disable = false
sourcetype = Inputs_conf
In the corresponding props.conf file:
[Inputs_conf]
DATETIME_CONFIG=CURRENT
To see changes to any inputs.conf file, simply run a search on sourcetype=Inputs_conf for the time frame you're interested in. The Source will point you to the inputs.conf file path, and the Event will show you the change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can dig into Splunk configs to monitor for input.conf changes. Keep in mind, that inputs.conf can change in any Splunk subdirectory, so don't focus on one single inputs.conf file - towit, search Splunk_Home for inputs.conf and you will get many file hits. Changes to any inputs.conf file will likely give you new inputs.
If you only monitor the main Splunk instance, then you might miss changes to forwarder inputs.conf files (a bit rusty on forwarding).
To monitor all changes to all inputs.conf files on your local Splunk system such that every change will have a new _time (time stamp) you can add the following text to your inputs.conf and props.conf files:
In an inputs.conf file:
[monitor://$SPLUNK_HOME\etc\...\inputs.conf]
disable = false
sourcetype = Inputs_conf
In the corresponding props.conf file:
[Inputs_conf]
DATETIME_CONFIG=CURRENT
To see changes to any inputs.conf file, simply run a search on sourcetype=Inputs_conf for the time frame you're interested in. The Source will point you to the inputs.conf file path, and the Event will show you the change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you monitor inputs.conf directly on the server? Do you restart the splunk service after each change? You could just include something like this in your inputs.conf
[monitor://$SPLUNK_HOME/etc/apps/YourInputAppName/local/inputs.conf]
index= putSomeIndex
sourcetype = putSomeSourcetype
crcSalt = <SOURCE>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aside from monitoring the files themselves (which is not a bad thing at all), my best practice recommendation would be to manage all your Splunk configuration files in a source control system, similar to what you would do with other code. This allows you to track changes and rollback to previous versions easily. When combined with using deployment server (or another distributed config management tool), this can enable a solid configuration lifecycle management process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use fschange in inputs.conf. Details here -> http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Monitorchangestoyourfilesystem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jconger-- The link you provided has a disclaimer at the top: This feature has been deprecated as of Splunk Enterprise version 5.0. This means that although it continues to function in version 6.x of Splunk software, it might be removed in a future version.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
