input
input
Synopsis
Adds or disables sources from being processed by Splunk.
Syntax
input (add|remove) [sourcetype=string] [index=string] [string=string]*
Optional arguments
- sourcetype
- Datatype: <string>
- Description: Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings.
- index
- Datatype: <string>
- Description: Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings.
Description
Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings. Any additional attribute=values are set added to inputs.conf. Changes are logs to $splunk_home/var/log/splunk/inputs.log. Generally to be used in conjunction with the crawl command.
Examples
Example 1: Remove all csv files that are currently being processed
| crawl | search source=*csv | input removeExample 2: Add all sources found in bob's home directory to the 'preview' index with sourcetype=text, setting custom user fields 'owner' and 'name'
| crawl root=/home/bob/txt | input add index=preview sourcetype=text owner=bob name="my nightly crawl"Example 3: Add each source found by crawl in the default index with automatic source classification (sourcetyping)
| crawl | input addSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the input command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.