Command Line Configuration

Command Line Configuration

Splunk 2.2 has a vastly expanded set of command line functions that mirror as much of the web interface as possible.

Data Input Configuration Commands

Actions

add [tail|watch|fifo|tcp|udp|odbc] [source] [-parameter value] ...

edit [tail|watch|fifo|tcp|udp|odbc] [source] [-parameter value] ...

remove [tail|watch|fifo|tcp|udp|odbc] [source]

list [tail|watch|fifo|tcp|udp|odbc]

Objects

• tail

a file or directory to be continuously tailed for new input

• watch

an archive directory to be monitored for new files

• fifo

a FIFO or named pipe

• tcp

a TCP socket

• udp

a UDP socket

• odbc

an ODBC database table

Default Parameter

• source

the file, directory, FIFO, socket or DSN/table to be managed

Required Parameters

Optional Parameters

• Type "help [object]" to see the parameters specific to each type of object.

Tail Inputs

Actions & Objects

add tail [source] [-parameter value] ...

edit tail [source] [-parameter value] ...

remove tail [source]

list tail

Default Parameter

• source

path to a file or directory whose contents should be indexed by the Splunk Server, and then watched for new input. If the specified file or directory does not exist, the Splunk Server will not check to see if it is created later; it will only check once at each restart.

Required Parameters

• source

Optional Parameters

• sourcetype

Source type value to se on events from the source. Use Splunk's pre-trained source types whenever possible.

• index

Splunk index into which to place events from the source

• hostname

Hostname or IP address to set as the host:: value

                          for example, web01.mycorp.com

• hostregex

regular expression on file path to set as the host value

                          for example, -host regex "archive\/([^\/]*)200[0-9]" on /archive/web0120060333.Z sets host:web01

• hostsegmentnum

number of the segment in the file path to set as the host value

                          for example, -hostsegmentnum 2 on/var/web01/archive/ sets host::web01

• auth

username:password to authenticate the command to a Splunk Professional Server

Examples

# splunk add tail /var/log/

# splunk edit tail /var/log -hostname foo.example.com

Use no more than one of -hostname, -hostregex or -hostsegmentnum per command.

Use "spool" to index a file once and forget about it.

Use "add watch" to monitor an archive directory for newly-arrived, closed files.

Use "add tail" to index active log files and directories with live as well as closed files.

Watch Inputs

"Watch" replaces "batch" from Splunk 2.0 .

Actions & Objects

add watch [source] [-parameter value] ...

edit watch [source] [-parameter value] ...

remove watch [source]

list watch

Default Parameter

• source

path to the directory whose contents should be recursively indexed once

                         by the Splunk Server, and then watched for new files.  The Splunk Server 

                         will unpack tarfiles and compressed files.  If there are live files still

                         being updated, use "tail" instead of "watch".

Required Parameters

• source

Optional Parameters

• sourcetype

Source type value to se on events from the source. Use Splunk's pre-trained source types whenever possible.

• index

Splunk index into which to place events from the source

• hostname

Hostname or IP address to set as the host:: value

                          for example, web01.mycorp.com

• hostregex

regular expression on file path to set as the host value

                          for example, -host regex "archive\/([^\/]*)200[0-9]" on /archive/web0120060333.Z sets host:web01

• hostsegmentnum

number of the segment in the file path to set as the host value

                          for example, -hostsegmentnum 2 on/var/web01/archive/ sets host::web01

• method

copy or symlink, how to bring files into the server's workspace - default is copy

• auth

username:password to authenticate the command to a Splunk Professional server

Examples

# splunk add watch /mnt/archive -hostsegmentnum 3

# splunk edit watch /mnt/archive -sourcetype myApp -auth gwb:d3cidr

Use no more than one of -hostname, -hostregex or -hostsegmentnum per command.

Use "spool" to index a file once and forget about it.

Use "add watch" to monitor an archive directory for newly-arrived, closed files.

Use "add tail" to index active log files and directories with live as well as closed files.

Watch replaces the former "batch" input.

FIFO Inputs

Actions & Objects

add fifo [source] [-parameter value] ...

edit fifo [source] [-parameter value] ...

remove fifo [source]

list fifo

Default Parameter

• source

path to a FIFO or named pipe whose contents should be indexed}}

Required Parameters

• source

Optional Parameters

• sourcetype

Source type value to se on events from the source. Use Splunk's pre-trained source types whenever possible.

• index

Splunk index into which to place events from the source

• hostname

Hostname or IP address to set as the host:: value

                          for example, web01.mycorp.com

• hostregex

regular expression on file path to set as the host value

                          for example, -host regex "archive\/([^\/]*)200[0-9]" on /archive/web0120060333.Z sets host:web01

• hostsegmentnum

number of the segment in the file path to set as the host value

                          for example, -hostsegmentnum 2 on/var/web01/archive/ sets host::web01

• auth

username:password to authenticate the command to a Splunk Professional server

Examples

# splunk add fifo /var/run/syslogfifo -sourcetype linux_messages_syslog

# splunk edit fifo /var/run/syslogfifo -hostname web01

   Use no more than one of -hostname, -hostregex or -hostsegmentnum per command.

Network Port (TCP, UDP) Inputs

Actions & Objects

add [tcp|udp] [source] [-parameter value] ...

edit [tcp|udp] [source] [-parameter value] ...

remove [tcp|udp] [source]

list [tcp|udp]

Default Parameter

• source

number of the TCP or UDP network port on which the Splunk Server

                         should listen for and index incoming events.

Required Parameters

• source

Optional Parameters

• sourcetype

Source type value to se on events from the source. Use Splunk's pre-trained source types whenever possible.

• index

Splunk index into which to place events from the source

• hostname

Hostname or IP address to set as the host:: value

                      for example, web01.mycorp.com

• resolvehost

true or false, whether to use DNS to set the host:: value - default is false

• auth

username:password to authenticate the command to a Splunk Professional serer

Examples

# splunk add udp 514 -sourcetype syslog

# splunk edit udp 514 -resolvehost true -auth gwb:d3cidr

   Ports below 1024 require the Splunk Server to run with root privilege

Database Table (ODBC) Inputs

Actions & Objects

add odbc [source] [-parameter value] ...

edit odbc [source] [-parameter value] ...

remove odbc [source]

list odbc

Default Parameter

• source

ODBC database table that the Splunk Server should edit and read.

                       The format is DSN:table as specified in your odbc.ini file, for example myDB:stats

Required Parameters

• source

Optional Parameters

• interval

period in minutes at which the Splunk Server should check the table for updates

• sourcetype

Source type value to se on events from the source. Use Splunk's pre-trained source types whenever possible.

• index

Splunk index into which to place events from the source

• host

Hostname or IP address to set as the host:: value

• auth

username:password to authenticate the command to a Splunk Professional server

Examples

# splunk add odbc myDB:stats -host web01

# splunk edit odbc myDB:stats -sourcetype myApp -auth gwb:d3cidr

• Was this topic useful?
• Post a comment