Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit a data input monitor by CLI

keinoda
Explorer
‎11-20-2013 06:45 PM

Hi,

I'm using Splunk6.0.
I tried to disable a data input monitor by CLI (/opt/splunk/bin/splunk edit monitor '/var/log/messages' -disable 1 -auth admin:password). Display shows "Modified monitor of '/var/log/messages'", however it seems that it is not changed.

(I referred to http://docs.splunk.com/Documentation/Splunk/6.0/Data/MonitorfilesanddirectoriesusingtheCLI)

Is it impossible to disable a data input by CLI?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-19-2013 08:29 PM

It seems fixed in 6.0.1

`
cd /opt/splunk/bin
./splunk version
Splunk 6.0.1 (build 189883)

./splunk add monitor "/var/log/feed/*.log" -auth admin:changeme

cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]

./splunk edit monitor "/var/log/feed/*.log" -disabled true -auth admin:changeme

cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]
disabled = true
`

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-19-2013 08:29 PM

It seems fixed in 6.0.1

`
cd /opt/splunk/bin
./splunk version
Splunk 6.0.1 (build 189883)

./splunk add monitor "/var/log/feed/*.log" -auth admin:changeme

cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]

./splunk edit monitor "/var/log/feed/*.log" -disabled true -auth admin:changeme

cat ../splunk/etc/apps/search/local/inputs.conf
[monitor:///var/log/feed/*.log]
disabled = true
`

Reply
Solved! Jump to solution

norbert_hamel
Communicator
‎11-22-2013 09:54 PM

Hi,

it seems that it's really not pissible to do that on CLI.

I have tried on a Universal Forwarder with:

./splunk edit monitor /var/SP/MyFiles/ -disabled true
./splunk edit monitor /var/SP/MyFiles/ -disabled 1

But both without the inteded result.

Note that the parameter should be disabled with a tailing "d"....

However, the parameter "disabled" is not listed in the docs, so maybe this is worth for an enhancement request.

Cheers
Norbert

0 Karma
Reply
Solved! Jump to solution

norbert_hamel
Communicator
‎11-24-2013 08:29 PM

Hi,

maybe you want to let us know which command you have used to change exactly which file? Then we all could learn something...

Thanks

0 Karma
Reply
Solved! Jump to solution

keinoda
Explorer
‎11-24-2013 07:06 PM

Sorry, I made a mistake. Other app's file was changed.

I tried it again, and I could change monitor status by CLI on a Splunk Server.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...