Configure inputs via the CLI
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure inputs via the CLI
In addition to using Splunk Web or editing inputs.conf, you can also use Splunk Command Line Interface (CLI) commands to configure data inputs.
To access Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory. Use a CLI command by typing $SPLUNK_HOME/bin/splunk [command name].
Note: Add Splunk to your shell path to use commands from any directory (by typing ./splunk [command name]).
Data input commands
Use Splunk CLI data commands to perform actions on data sources. Commands and data sources take various parameters depending on the combination you use. You can use five different commands to configure data inputs in the CLI:
- Add and configure initial input settings with the
addcommand. - Use
spoolto add a file, or directory by reading it only once. - Make changes to an input source location, source host name, or input destination with
edit. - List your currently configured inputs with
list. - Remove a currently configured input with
remove.
| Command | Command syntax | Action | |
| add | add [tail|watch|fifo|tcp|udp] source [-parameter value] ... | Add a specified data input to Splunk. | |
| edit | edit [tail|watch|fifo|tcp|udp] source [-parameter value] ... | Edit a data input was previously added. | |
| remove | remove [tail|watch|fifo|tcp|udp] source | Remove a previously added data input. | |
| list | list [tail|watch|fifo|tcp|udp] | List the currently configured data inputs of a specified type. | |
| spool | spool source | Add a file, archive, or directory to your index by reading it once. |
Note: Splunk's CLI help pages contain detailed syntax and usage information on all commands, objects, and parameters. Access the main CLI help page by typing: $SPLUNK_HOME/bin/splunk help. Individual commands, objects, and parameters have their own help pages as well, type: $SPLUNK_HOME/bin/splunk help [command/object/parameter name]
Data input types
You must specify a data input type to use with a data input command.
| Data input type | Definition | |
| tail | A file or directory to be continuously monitored for new input to index. | |
| watch | An archive directory to be monitored for new files to index. | |
| fifo | A FIFO or named pipe to index from. | |
| tcp | A TCP socket (network input) to monitor. | |
| udp | A UDP socket (network input) to monitor. |
Change the configuration of each data input type by defining the parameters below.
Note: Optional parameters have the syntax: -parameter value.
Note: Use only one -hostname, -hostregex or -hostsegmentnum per command.
tail parameters
Required parameters
| source | Path to the file or directory to monitor for new input. |
Optional parameters
| sourcetype | Specify a sourcetype field value for events from the input source. | |
| index | Specify the destination index for events from the input source. | |
| hostname | Specify a host name to set as the host field value for events from the input source. | |
| hostregex | Specify a regular expression on the source file path to set as the host field value for events from the input source. | |
| hostsegmentnum | Set the number of segments of the source file path to set as the host field value for events from the input source. | |
| active-only | (T | F) True or False. Set true to tell Splunk to only keep indexing files that have write-permissions enabled. | |
| follow-only | (T | F) True or False. Default False. When set to True, Splunk will read from the end of the source (like the "tail -f" Unix command). |
watch parameters
Required parameters
| source | Path to a directory to watch for new input. |
Optional parameters
| method | Set the method to bring files into Splunk (symlink or copy). Default is symlink. | |
| sourcetype | Specify a sourcetype field value for events from the input source. | |
| index | Specify the destination index for events from the input source. | |
| hostname | Specify a host name to set as the host field value for events from the input source. | |
| hostregex | Specify a regular expression on the source file path to set as the host field value for events from the input source. | |
| hostsegmentnum | Set the number of segments of the source file path to set as the host field value for events from the input source. |
fifo parameters
Required parameters
| source | Path to a FIFO or named pipe to index. |
Optional parameters
| sourcetype | Specify a sourcetype field value for events from the input source. |
| index | Specify the destination index for events from the input source. |
| hostname | Specify a host name to set as the host field value for events from the input source. |
| hostregex | Specify a regular expression on the source file path to set as the host field value for events from the input source. |
| hostsegmentnum | Set the number of segments of the source file path to set as the host field value for events from the input source. |
tcp & udp parameters
Required parameters
| source | Port number to listen for data to index. |
Optional parameters
| sourcetype | Specify a sourcetype field value for events from the input source. |
| index | Specify the destination index for events from the input source. |
| hostname | Specify a host name to set as the host field value for events from the input source. |
| remotehost | Specify an IP address to exclusively accept data from. |
| resolvehost | Set True of False (T | F). Default is False. Set True to use DNS to set the host field value for events from the input source. |
Examples
tail
Tail only writable files in /var/log/.
- Add
/var/log/as a data input.
./splunk add tail /var/log/
- Edit the input you added to tail only files that are still open for writing.
./splunk edit tail /var/log -active-only true
watch
Watch a directory and set host and sourcetype field values for each event that's indexed.
- Add a watch to the directory
/mnt/archiveand set the host field value for events from the source to be the third segment of the file name.
./splunk add watch /mnt/archive -hostsegmentnum 3
- Edit the input configuration to set the sourcetype field value for each event from the source to equal "myApp".
./splunk edit watch /mnt/archive -sourcetype myApp
fifo
Configure a FIFO input and set the host and sourcetype field values for each event that's indexed.
- Add the FIFO input
/var/run/syslogfifoand set the sourcetype field for each event from the source to equal "linux_messages_syslog".
./splunk add fifo /var/run/syslogfifo -sourcetype linux_messages_syslog
- Edit the input configuration to set the host field value for all events from the source to equal "web01".
./splunk edit fifo /var/run/syslogfifo -hostname web01
tcp & udp
Configure a network input and set the sourcetype field value for each event that's indexed.
- Configure a UDP input to watch port 514 and set the sourcetype field value for each event to equal "syslog".
./splunk add udp 514 -sourcetype syslog
- Set the UDP input to use DNS to resolve the host name and set each event's host value to the resolved host name. You must have root access for ports under 1024. Use the
authparameter to authenticate in line.
./splunk edit udp 514 -resolvehost true -auth gwb:d3c1dr
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.