Splunk Enterprise

Add a network input using the CLI

SplunkExplorer
Contributor

Hi Splunkers, I'm performing some test on my test environment and I'm curious about observed behavior.

I want to add some network inputs, so tcp and udp ones, to my env.
I found easily on doc how to achieve this: Monitornetworkports and it works fine, with no issues. Inputs are correctly added to my Splunk. I can confirm this with no problem on both web GUI and from CLI using btool.

My wonder is: if I use the command in the above link, inputs are added on inputs.conf located in SPLUNK_HOME\etc\apps\search\local. For example, if I use:

splunk add tcp 3514 -index network -soucetype checkpoint

 

And then, I digit 

splunk btool inputs list --debug | findstr 3514

 

The output is:

C:\Program Files\Splunk\etc\apps\search\local\inputs.conf     [tcp://3514]

 

And, checking manually the file, confs related to my add command are exactly on it.
So, I assume that search is the default app if no additional parameter are provided.
Now, I know well that if I want edit another inputs.conf file, I can simply manually edit it.
But what about if I want edit another inputs.conf from CLI?
In other words: I want to know if I can use the splunk add command and specify which inputs.conf file modify. Is it possible? 

Labels (2)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

Hi @SplunkExplorer 

You are right. Looks like the CLI got no app context parameters. 

the doc link - https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Add_a_network_input_usi...

Command Command syntax Action

addadd tcp|udp <port> [-parameter value] ...Add inputs from <port>.
editedit tcp|udp <port> [-parameter value] ...Edit a previously added input for <port>.
removeremove tcp|udp <port>Remove a previously added data input.
listlist tcp|udp [<port>]List the currently configured monitor.

The <port> is the port number on which to listen for data. The user you run the Splunk platform as must have access to this port.

You can modify the configuration of each input by setting any of these optional parameters:

Parameter Description

sourcetypeProvide a sourcetype field value for events from the input source.
indexProvide the destination index for events from the input source.
hostnameProvide a host name to set as the host field value for events from the input source.
remotehostProvide an IP address to exclusively accept data from.
resolvehostSet to true or false (T | F). Default is false. Set to true to use DNS to set the host field value for events from the input source.
restrictToHostProvide a host name or IP address to accept connections only from the specified host or IP address.

 

there is no options to specify the app's context. the CLI and web gui update methods got their limitations. 

the config file editing is the ultimate method which got all of its features and syntax. 

 

Best Regards,

Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

inventsekar
SplunkTrust
SplunkTrust

Hi @SplunkExplorer 

You are right. Looks like the CLI got no app context parameters. 

the doc link - https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Add_a_network_input_usi...

Command Command syntax Action

addadd tcp|udp <port> [-parameter value] ...Add inputs from <port>.
editedit tcp|udp <port> [-parameter value] ...Edit a previously added input for <port>.
removeremove tcp|udp <port>Remove a previously added data input.
listlist tcp|udp [<port>]List the currently configured monitor.

The <port> is the port number on which to listen for data. The user you run the Splunk platform as must have access to this port.

You can modify the configuration of each input by setting any of these optional parameters:

Parameter Description

sourcetypeProvide a sourcetype field value for events from the input source.
indexProvide the destination index for events from the input source.
hostnameProvide a host name to set as the host field value for events from the input source.
remotehostProvide an IP address to exclusively accept data from.
resolvehostSet to true or false (T | F). Default is false. Set to true to use DNS to set the host field value for events from the input source.
restrictToHostProvide a host name or IP address to accept connections only from the specified host or IP address.

 

there is no options to specify the app's context. the CLI and web gui update methods got their limitations. 

the config file editing is the ultimate method which got all of its features and syntax. 

 

Best Regards,

Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...