- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Modifying modular input's local inputs.conf via th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modifying modular input's local inputs.conf via the REST API
Hi all,
I'm trying to change specific values of a modular input's inputs.conf from within the modular input itself. As an example, let's say $SPLUNK_HOME/etc/apps/my_app/local/inputs.conf contains:
[my_app://TestInput]
key = value
key_alt = value_alt
A GET request (authenticated with a session_key retrieved from STDIN within my modular input) to /services/data/inputs/my_app/TestInput will return the fields along with a ton of extra data, no problem whatsoever. My issues start when I try to modify the fields - say I want to change the key_alt value to alternative. I'm doing via a POST request to the same URI with POST-encoded variables:
key=value
key_alt=alternative
So far so good - the server doesn't complain and if I send another GET request to /services/data/inputs/my_app/TestInput the data will reflect the last change. However, instead of actually modifying the value of $SPLUNK_HOME/etc/apps/my_app/local/inputs.conf, Splunk writes the change in $SPLUNK_HOME/etc/apps/search/local/inputs.conf as:
[my_app://TestInput]
key_alt = alternative
Furthermore (and not too much important), if I am to delete this entry manually, the STDIN configuration for my modular input will still reflect the change forcing me to conclude that there must be some sort of a flush method that I can call to refresh the configuration my modinput receives through STDIN?
But my primary concern is how to force the REST API /services/data/inputs/ endpoint to edit the right inputs.conf (the one it gets the fields from) instead of reaching for the top-level one in /apps/search/local
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it would seem for modular inputs, the inputs.conf that the stanza is created in depends on the "context" in which you launch Settings | Data Inputs
localhost:8000/en-us/manager/launcher/datainputstats
mod-input inputs.conf stanza created in /etc/apps/launcher/local/inputs.conf
localhost:8000/en-us/manager/search/datainputstats
mod-input inputs.conf stanza created in /etc/apps/search/local/inputs.conf
localhost:8000/en-us/manager/{app}/datainputstats
mod-input inputs.conf stanza created in /etc/apps/{app}/local/inputs.conf
Seems strange to me....
I would have expected it to be created at
mod-input inputs.conf stanza created in /etc/apps/{actual-modular-input}/local/inputs.conf
In any event, i have some code that also updates the input.config and it will create the updated configuration in:
mod-input inputs.conf stanza created in /etc/apps/{app}/local/inputs.conf
but will only contain the updated values.
Everything is fine when you use the api / modular input until you try and delete the modular input, and then everything goes haywire and it's not possible to actually delete the input.
i'm using splunk Version:
7.1.2
Build:
a0c72a66db66
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using /servicesNS/<username>/<app path>/data/inputs/ as your endpoint.
I haven't tried this for modular inputs, but it worked for adding an index in the search app's indexes.conf, so I'd be willing to bet it will work here as well.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
