Getting Data In

What exactly is the job of the URI-like segment after the name of the input in the inputs.conf.spec name stanza?

varsityalgebra
Engager

I apologise in advance for not knowing how to word this question properly but I'm writing a modular input that's part of an app and I'm wondering what exactly is the job of the URI-like segment after the name of the input in the inputs.conf.spec name stanza (for example, //default in the twitter modinput example)? And how is it used by the app/modinput and Slunk Enterprise once your app has been deployed?

inputs.conf.spec

[twitter://default]
*This is how the Twitter app is configured
username = <value>
*This is the user's twitter username/handle
password = <value>
*This is the user's password used for logging into twitter
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi @varsityalgebra

For a modular input like your example, the inputs.conf stanza will become the source field of the data - unless you overwrite it when defining inputs.

Hope this helps.

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @varsityalgebra

For a modular input like your example, the inputs.conf stanza will become the source field of the data - unless you overwrite it when defining inputs.

Hope this helps.

0 Karma

varsityalgebra
Engager

Right but what is the role of the "//default" I highlighted? How can I use this in my own modinput? I see that some inputs like tcp can have a port number there but it still is not clear how can I use this in my own modular input.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

The properties set in the<whatever>://default stanza should be automatically applied to every other stanza. It is a way of being able to set default values.

So in your specific example, if there is a twitter://userAfeed stanza, then it will automatically have the username and password properties set.

Hope this makes sense

0 Karma

varsityalgebra
Engager

I think I'm starting to see it but want to use a different example to clarify. What does the following stanza mean?
[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995

It seems to be defining those properties for just TCP port 9995 but where is that logic stablished? How does my modinput make use of the fact that ":9995" was set in the stanza?

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

You do need to write code in your modular input to use the values set. If you are using the addon build it shows you some example code like so:

# get all detailed input stanzas
helper.get_input_stanza()
# get specific input stanza with stanza name
helper.get_input_stanza(stanza_name)
# get all stanza names
helper.get_input_stanza_names()

for stanza_name in helper.get_input_stanza_names():
    event = helper.new_event(source=input_type, index=helper.get_output_index(stanza_name), sourcetype=helper.get_sourcetype(stanza_name), data=data)
    ew.write_event(event)

I am not sure what the code is if you aren't using the addon builder with its helper function.

0 Karma

varsityalgebra
Engager

In the tcp example the port number is also included in the "source" setting. Does that mean that the port number in the name "tcp://:9995" is not used at all and is just used to identify that particular input? Or do people actually take setting information from the name stanza?

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Some app developers (and splunk themselves) use the stanza as a setting. Some don't. Yes its a bit confusing and inconsistent.

0 Karma

varsityalgebra
Engager

Thanks Chris, one more question, can I use the helper object outside the addon builder, using the Python SDK for example? It seems that you can't but just in case I missed something in my google search.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

No it is a part of the addon builder - sorry

0 Karma

varsityalgebra
Engager

Ok thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...