I apologise in advance for not knowing how to word this question properly but I'm writing a modular input that's part of an app and I'm wondering what exactly is the job of the URI-like segment after the name of the input in the inputs.conf.spec name stanza (for example, //default in the twitter modinput example)? And how is it used by the app/modinput and Slunk Enterprise once your app has been deployed?
inputs.conf.spec
[twitter://default]
*This is how the Twitter app is configured
username = <value>
*This is the user's twitter username/handle
password = <value>
*This is the user's password used for logging into twitter
Hi @varsityalgebra
For a modular input like your example, the inputs.conf stanza will become the source
field of the data - unless you overwrite it when defining inputs.
Hope this helps.
Hi @varsityalgebra
For a modular input like your example, the inputs.conf stanza will become the source
field of the data - unless you overwrite it when defining inputs.
Hope this helps.
Right but what is the role of the "//default" I highlighted? How can I use this in my own modinput? I see that some inputs like tcp can have a port number there but it still is not clear how can I use this in my own modular input.
The properties set in the<whatever>://default
stanza should be automatically applied to every other stanza. It is a way of being able to set default values.
So in your specific example, if there is a twitter://userAfeed
stanza, then it will automatically have the username
and password
properties set.
Hope this makes sense
I think I'm starting to see it but want to use a different example to clarify. What does the following stanza mean?
[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995
It seems to be defining those properties for just TCP port 9995 but where is that logic stablished? How does my modinput make use of the fact that ":9995" was set in the stanza?
You do need to write code in your modular input to use the values set. If you are using the addon build it shows you some example code like so:
# get all detailed input stanzas
helper.get_input_stanza()
# get specific input stanza with stanza name
helper.get_input_stanza(stanza_name)
# get all stanza names
helper.get_input_stanza_names()
for stanza_name in helper.get_input_stanza_names():
event = helper.new_event(source=input_type, index=helper.get_output_index(stanza_name), sourcetype=helper.get_sourcetype(stanza_name), data=data)
ew.write_event(event)
I am not sure what the code is if you aren't using the addon builder with its helper function.
In the tcp example the port number is also included in the "source" setting. Does that mean that the port number in the name "tcp://:9995" is not used at all and is just used to identify that particular input? Or do people actually take setting information from the name stanza?
Some app developers (and splunk themselves) use the stanza as a setting. Some don't. Yes its a bit confusing and inconsistent.
Thanks Chris, one more question, can I use the helper object outside the addon builder, using the Python SDK for example? It seems that you can't but just in case I missed something in my google search.
No it is a part of the addon builder - sorry
Ok thanks.