inputs.conf

inputs.conf

The following are the spec and example files for inputs.conf.

inputs.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 

# This file contains possible attributes and values you can use to configure inputs,
# distributed inputs and file system monitoring in inputs.conf.
#
# There is an inputs.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place an inputs.conf in $SPLUNK_HOME/etc/system/local/.  For examples, see inputs.conf.example.
# You must restart Splunk to enable new configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
#

#*******
# GENERAL SETTINGS:
# The following attributes/value pairs are valid for ALL input types (except file system change monitor).
# You must first enter a stanza header, specifying the input type.  
# Then, use any of the following attribute/value pairs.
#*******

host = <string>
* Set the default host to a static value.
* "host=" is automatically prepended to <string>.
* Defaults to the IP address of fully qualified domain name of the host where the data originated.

index = <string>
* Set the index to store events from this input.
* "index=" is automatically prepended to <string>.
* Defaults to "index=main" (or whatever you have set as your default index).

source = <string>
* Set the source for events from this input. 
* "source=" is automatically prepended to <string>.
* Defaults to the file path.

sourcetype = <string>
* Set the sourcetype for events from this input.
* "sourcetype=" is automatically prepended to <string>.
* Splunk automatically picks a source type based on various aspects of your data.  There is no hard-coded default.

queue = parsingQueue | indexQueue
* Specify where the input processor should deposit the events it reads.
* Set to "parsingQueue" to apply props.conf and other parsing rules to your data.
* Set to "indexQueue" to send your data directly into the index.
* Defaults to parsingQueue.

_TCP_ROUTING = <tcpout_group_name>,<tcpout_group_name>,<tcpout_group_name>
* comma separated list of tcpout group names
* Using this you can selectively forward your data to specific indexer(s).
* Specify the tcpout group forwarder should use when forwarding your data.
  The tcpout group names are defined in outputs.conf with [tcpout:<tcpout_group_name>]
* Defaults to groups present in 'defaultGroup' in tcpout stanza in outputs.conf.

#*******
# Valid input types follow, with input-specific attributes listed as well:
#*******


#*******
# MONITOR:
#*******

[monitor://<path>]
* This directs Splunk to watch all files in <path>. 
* <path> can be an entire directory or just a single file.
* You must specify the input type and then the path, so put three slashes in your path if you're starting at the root.

# Additional attributes:

host_regex = <regular expression>
* If specified, <regular expression> extracts host from the filename of each input. 
* Specifically, the first group of the regex is used as the host. 
* If the regex fails to match, the default "host =" attribute is used.

host_segment = <integer>
* If specified, the '/' separated segment of the path is set as host. 
* If the value is not an integer, or is less than 1, the default "host =" attribute is used.

whitelist = <regular expression>
* If set, files from this path are monitored only if they match the specified regex.
* Takes precedence over the deprecated _whitelist, which functions the same.

blacklist = <regular expression>
* If set, files from this path are NOT monitored if they match the specified regex.
* Takes precedence over the deprecated _blacklist, which functions the same.

Note: Wildcards and monitor:
* You can use wildcards to specify your input path for monitored input. Use ... for paths and * for files.
* ... recurses through directories until the match is met. This means that /foo/.../bar will match foo/bar, foo/1/bar, foo/1/2/bar, etc. but only if bar is a file.
 * To recurse through a subdirectory, use another .... For example /foo/.../bar/....
* * matches anything in that specific path segment. It cannot be used inside of a directory path; it must be used in the last segment of the path. For example /foo/*.log matches /foo/bar.log but not /foo/bar.txt or /foo/bar/test.log.
 * Combine * and ... for more specific matches:
 * foo/.../bar/* matches any file in the bar directory within the specified path.

crcSalt = <string>
* Use this to force Splunk to consume files with matching CRCs.
* Set any string to add to the CRC.
* If set to "crcSalt = <SOURCE>", then the full source path is added to the CRC.
	
followTail = 0 | 1
* If set to 1, monitoring begins at the end of the file (like tail -f).
* This only applies to files the first time Splunk sees them.
* After that, Splunk's internal file position records keep track of the file. 
 
alwaysOpenFile = 0 | 1
* Opens a file to check if it has already been indexed.
* Only useful for files that don't update modtime.
* Should only be used for monitoring files on Windows, and mostly for IIS logs.
* NOTE: This flag should only be used as a last resort, as it increases load and slows down indexing.

time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past <integer> seconds.
* Defaults to 3.

recursive = true|false
* if false, will not go into subdirectories found within a monitored directory
* defaults to true

followSymlink
* if false, will ignore symbolic links found within a monitored directory
* defaults to true 

_whitelist = ...
* This setting is deprecated.  It is still honored, unless whitelist exists as well.

_blacklist = ...
* This setting is deprecated.  It is still honored, unless blacklist exists as well.

dedicatedFD = ...
* This setting has been removed.  It is no longer needed.

  
#*******
# BATCH:
#*******

NOTE: Batch should only be used for large archives of historic data. If you want to continuously monitor a direcotry, or index small archives, use monitor (above).

[batch://<path>]
* One time, destructive input.
* For continuous, non-destructive inputs, use **monitor**.

# Additional attributes:

move_policy = sinkhole.
* Important = You must set move_policy = sinkhole.
* This loads the file destructively.  
* Do not use this input type for files you do not want to consume destructively.

host_regex (see MONITOR, above)
host_segment (see MONITOR, above)

# IMPORTANT: The following are not used by batch:
source = <string>
<KEY> = <string>


#*******
# TCP: 
#*******

[tcp://<remote server>:<port>]
* Configure Splunk to listen on a specific port. 
* If a connection is made from <remote server>, this stanza is used to configure the input.
* If <remote server> is blank, this stanza matches all connections on the specified port.

# Additional attributes:

connection_host = ip | dns | none
* Set to "ip," "dns" or "none."
* "ip" (or "false") sets the TCP input processor to rewrite the host with the IP address of the remote server. 
* "dns" sets the host to the DNS entry of the remote server.
* "none" leaves the host as specified for this stanza.
* Defaults to ip.


#*******
# Data distribution:
#*******

[splunktcp://<remote server>:<port>]
* This is the same as TCP, except the remote server is assumed to be a Splunk server. 
* For SplunkTCP, the host or connection_host will be used if the remote Splunk server does not set a host, or if the host is set to host::localhost.
* See documentation (http://www.splunk.com/doc/latest/admin/ForwardingReceiving) for help. 

enableS2SHeartbeat = true | false
* This allows detection of dead forwarders due to network, firewall etc
* Splunk will monitor the connection for presense of heartbeat and if the heartbeat is
* not seen for s2sHeartbeatTimeout, receiver will close the connection.
* This overrides the default value specified at global splunktcp stanza.
* This is true by default

s2sHeartbeatTimeout = <seconds>
* Timeout value in seconds
* Splunk will monitor for forwarder connections and close the connection if
* heartbeat is not seen for s2sHeartbeatTimeout seconds
* This overrides the default value specified at global splunktcp stanza.
* Has default value of 600 seconds

[splunktcp]
route = has_key | absent_key:<key>:<queueName>;...
* Settings for the light forwarder.
* Splunk sets these parameters automatically -- you DO NOT need to set them.
* The property route is composed of rules delimited by ';'.
* Splunk checks each incoming data payload via cooked tcp port against the route rules. 
* If a matching rule is found, Splunk sends the payload to the specified <queueName>.
* If no matching rule is found, Splunk sends the payload to the default queue
  specified by any queue= for this stanza. If no queue= key is set in
  the stanza or globally, the events will be sent to the parsingQueue. 


compressed = true | false
* Send compressed data? y/n?
* Defaults to false.
* If this is set to true, the forwarder port should also have compression turned on.

enableS2SHeartbeat = true | false
* This specifies global keepalive setting for all splunktcp ports.
* This is true by default

s2sHeartbeatTimeout = <seconds>
* This specifies global keepalive setting for all splunktcp ports.
* Has default value of 600 seconds

inputShutdownTimeout = <seconds>
* This flag is used during shutdown. To minimize data loss when forwarders are connected
  to receiver, during shutdown the tcp input processor waits for given amount of 
  seconds and then closes the connection after timeout. As a result, shutdown completion 
  is delayed by given amount. If the connections close before the timeout period, the 
  shutdown proceeds normally.

# SSL settings for data distribution:

[splunktcp-ssl:PORT]
* Use this stanza name if you are sending encrypted, cooked data from Splunk.
* Set PORT to the port on which your forwarder is sending cooked, encrypted data.
* Forwarder settings are set in outputs.conf on the forwarder-side.

enableS2SHeartbeat = true | false
* Please see doc for [splunktcp:PORT]

s2sHeartbeatTimeout = <seconds>
* Please see doc for [splunktcp:PORT]

compressed = true | false
* Send compressed data? y/n?
* Defaults to false.
* If this is set to true, the forwarder port should also have compression turned on.


[tcp-ssl:PORT]
* Use this stanza name if you are sending encrypted, raw data from a third-party system.
* Set PORT to the port on which your forwarder is sending raw, encrypted data.
	
[SSL]
* Set the following specifications for SSL underneath this stanza name:

serverCert = <path>
* Full path to the server certificate.
	
password = <string>
* Server certificate password, if any.

rootCA = <string>
* Certificate authority list (root file).

requireClientCert = true | false
* Toggle whether it is required for a client to authenticate.
supportSSLV3Only = <true|false>
* If true, tells the inputproc to only accept connections
* from SSLv3 clients.
* Default is false.

cipherSuite = <cipher suite string>
* If set, uses the specified cipher string for the input processors.
* If not set, uses the default cipher string
* provided by OpenSSL.  This is used to ensure that the server does not
* accept connections using weak encryption protocols.


#*******
# UDP:
#*******

[udp://<port>]
* Similar to TCP, except that it listens on a UDP port.


# Additional attributes:

_rcvbuf = <integer>
* Specify the receive buffer for the UDP port (in bytes).  
* If the value is 0 or negative, it is ignored.  
* Defaults to 1,572,864.
* Note: The default in the OS varies.

no_priority_stripping = true
* If this attribute is set to true, then Splunk does NOT strip the <priority> syslog field from received events. 
* NOTE: Do NOT include this key if you want to strip <priority>.

no_appending_timestamp = true
* If this attribute is set to true, then Splunk does NOT append a timestamp and host to received events.
* NOTE: Do NOT include this key if you want to append timestamp and host to received events.
 

#*******
# FIFO:
#*******

[fifo://<path>]
* This directs Splunk to read from a FIFO at the specified path.


#*******
# Scripted Input:
#*******

[script://<cmd>]
* Runs <cmd> at a configured interval (below) and indexes the output.  
* The command must reside in $SPLUNK_HOME/etc/system/bin/, $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/ or $SPLUNK_HOME/bin/scripts/
* We ship severeal Windows-only scripted inputs. Check towards the end of inputs.conf.example for the specific block you need to add to your local inputs.conf 
* <cmd> can also be a path to a file that ends with a ".path" suffix.  A file
with this suffix is a special type of pointer file that points to a command to
be executed.  Whereas the pointer file is bound by the same location
restrictions mentioned above, the command referenced inside it can reside
anywhere on the file system.  This file must contain exactly one line, which
would be the path to the command to execute, optionally followed by command
line arguments.  Additional empty lines and lines that begin with '#' are also
permitted and will be ignored.

interval = <integer>|<cron schedule>
* How often to execute the specified command (in seconds), or a valid cron schedule. 
* NOTE: when a cron schedule is specified the script is not executed on start up
* Defaults to 60 seconds.

passAuth = <username>
* User to run the script under. 
* If you provide a username, Splunk generates an auth token for that user and passes it to the script via stdin.
    

#*******
# File system change monitor
#*******

NOTE: You cannot simultaneously watch a directory using fs change monitor and monitor (above).

[fschange:<path>]
* Monitors all add/update/deletes to this directory and sub directories.
* NOTE: <path> is the direct path.  You do not need to preface it with // like other inputs.
* Sends an event for every change.

# Additional attributes:
# NOTE: fschange does not use the same attributes as other input types (above).  Use only the following attributes.

index = <indexname>
* The index to store all events generated.  
* Defaults to _audit, unless you do not set signedaudit (below) or set signedaudit = false, in which case events go into the default index.

signedaudit = true | false
* Send cryptographically signed add/update/delete events.
* If set to true, events are *always* sent to the '_audit' index and will *always* have the source type 'audittrail'.
* If set to false, events are placed in the default index and the source type is whatever you specify (or 'fs_notification' by default).
* You must set signedaudit to false if you wish to set the index.
* NOTE: You MUST also enable auditing in audit.conf.
* Defaults to false.

filters = <filter1>,<filter2>,...<filterN>
* Each filter is applied left to right for each file or directory found during the monitor's poll cycle. 
* See "File System Monitoring Filters" below for help defining a filter.

recurse = true | false
* If true, recurse directories within the directory specified in [fschange].
* Defaults to true.

followLinks = true | false
* Follow symbolic links if true. 
* It is recommended that you do not set this to true or file system loops may occur. 
* Defaults to false.

pollPeriod = <integer>
* Check this directory for changes every <integer> seconds. 
* Defaults to 3600.

hashMaxSize = <integer>
* Calculate a SHA256 hash for every file that is less than or equal to <integer> bytes. 
* This hash is used as an addional method for detecting changes to the file/directory. 
* Defaults to -1 (disabled).

fullEvent = true | false
* Set to true to send the full event if an add or update change is detected. 
* Further qualified by the 'sendEventMaxSize' attribute. 
* Defaults to false.

sendEventMaxSize  = <integer>
* Only send the full event if the size of the event is less than or equal to <integer> bytes. 
* This limits the size of indexed file data. 
* Defaults to -1, which is unlimited.

sourcetype = <string>
* Set the sourcetype for events from this input.
* "sourcetype=" is automatically prepended to <string>.
* Defaults to audittrail (if signedaudit=true) or fs_notification (if signedaudit=false).

host = <string>
* Set the host for events from this input
* Defaults to whatever host sent the event

index = <string>
* Set the index for events from this input
* Defaults to the main index
  	
filesPerDelay = <integer>
* Injects a delay specified by 'delayInMills' after processing <integer> files.
* This is used to throttle file system monitoring so it doesn't consume as much CPU.

delayInMills = <integer>
* The delay in milliseconds to use after processing every <integer> files as specified in 'filesPerDelay'.
* This is used to throttle file system monitoring so it doesn't consume as much CPU.


#*******
# File system monitoring filters:
#*******

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
    
<filtertype>
* Filter types are either 'blacklist' or 'whitelist.' 
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.

<filtername>
* The filter name is used in the comma-separated list when defining a file system monitor.
	
regex<integer> = <regex>	
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments. 
* Splunk applies each regex in numeric order:
  regex1=<regex>
  regex2=<regex>
  ...

#*******
# WINDOWS INPUTS:
#*******

* Windows platform specific input processor.
* Security, Application, System are enabled by default.  To disable an input type, 
comment it out or set disabled = 1 in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf
* You can configure Splunk to read other Windows event logs as well, but you must 
import them to the Windows Event Viewer first, and then add them to your local 
copy of inputs.conf (in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf). 
Just use the same format as the ones shown below [WinEventLog:<event log name>] 
and the line disabled = 0. 

[WinEventLog:<Log Name>] 
* Define a windows event log to monitor

disabled = <integer> 1|0
* Enable or disable this input.

start_from = <string> oldest|newest
* oldest - Start reading windows event log chronologicaly from oldest to newest 
* newest - Start reading windows event log in revers, from newest to oldest.  Once the
backlog of events is consumed, then it will start picking up the newest events

current_only = <integer> 1|0
* If set to 1 it emulates tail, only monitor new coming events.  If set to 0 it will first
get all existing events in the system and then monitor events coming in real time.

checkpointInterval = <integer> seconds 
* An integer greater then 0.  Sets the interval of how often the windows event log checkpoint
it will be saved.  The default value is 5.

evt_resolve_ad_obj = <integer> 1|0  Enables/disables resolving active directory objects like
GUID/SID objects for a specific windows event log channel.  By default this option
it turned on for Security event logs.  Optionally you can specify the Domain Controller
name and/or DNS name of the domain to bind to which then splunk will use to resolve the
AD objects.

evt_dc_name = <string> Optional, this parameter can be left empty. 
Domain Controller Name to bind to.  This name can be the name of the domain controller 
or the fully-qualified DNS name of the domain controller.  Either name type can, 
optionally, be preceded by two backslash characters.  All of the following examples 
represent correctly formatted domain controller names:

    * "FTW-DC-01"
    * "\\FTW-DC-01"
    * "FTW-DC-01.splunk.com"
    * "\\FTW-DC-01.splunk.com"

evt_dns_name = <string> Optional, this parameter can be left empty.  
Fully-qualified DNS name of the domain to bind to

* There are several Windows-only scripted inputs that we ship.  They are
defined in the default inputs.conf.  By default some of them are enabled and
others are disabled.  This is a list of the input stanzas:
    [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
    [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
    [script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
    [script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
* Use the "disabled=" parameter to enable/disable any of these inputs.
* Short summary of the inputs:
  * WMI: retreives events logs remotely and locally.  It can also gather
    performance data, as well as receive various system notifications.
  * RegMon: It uses a driver to track and report any changes that occur in the
    local system registry.
  * ADMon: It indexes existing AD object and listens for AD changes.
  * PerfMon: Retrieves performance data.

inputs.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 
#
# This is an example inputs.conf.  Use this file to configure data inputs.
#
# To use one or more of these configurations, copy the configuration block into
# inputs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to 
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles


# The following configuration directs Splunk to read all the files in the directory /var/log.

[monitor:///var/log]


# The following configuration directs Splunk to read all the files under /var/log/httpd and classify them 
# as sourcetype::access_common.

[monitor:///var/log/httpd]
sourcetype = access_common


# The following configuration directs Splunk to read all the files under /mnt/logs. When the path is 
# /mnt/logs/<host>/... it sets the hostname (by file) to <host>.

[monitor:///mnt/logs]
host_segment = 3


# The following configuration directs Splunk to listen on TCP port 9997 for raw data from ANY remote server 
# (not just a Splunk instance). The host of the data is set to the IP address of the remote server.

[tcp://:9997]


# The following configuration directs Splunk to listen on TCP port 9995 for raw data from ANY remote server.
# The host of the data is set as the host name of the remote server.  All data will also be
# assigned the sourcetype "log4j" and the source "tcp:9995".

[tcp://:9995]
connection_host = dns
sourcetype = log4j
source = tcp:9995


# The following configuration directs Splunk to listen on TCP port 9995 for raw data from 10.1.1.10. 
# All data is assigned the host "webhead-1", the sourcetype "access_common" and the
# the source "//10.1.1.10/var/log/apache/access.log".

[tcp://10.1.1.10:9995]
host = webhead-1
sourcetype = access_common
source = //10.1.1.10/var/log/apache/access.log


# The following configuration sets a global default for data payloads sent from the light forwarder.
# The route parameter is an ordered set of rules that is evaluated in order for each payload of cooked data.

[splunktcp]
route=has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;


# The following configuration directs Splunk to listen on TCP port 9996 for
# splunk cooked event data from ANY splunk forwarder.
# The host of the data is set to the host name of the remote server ONLY IF the
# remote data has no host set, or if it is set to "localhost".

[splunktcp://:9996]
connection_host = dns


# The following configuration directs Splunk to listen on TCP port 9998 for distributed search data from  
# 10.1.1.100. The data is processed the same as locally indexed data.

[splunktcp://10.1.1.100:9996]


# The following configuration directs Splunk to listen on TCP port 514 for data from 
# syslog.corp.company.net. The data is assigned the sourcetype "syslog" and the host 
# is set to the host name of the remote server.

[tcp://syslog.corp.company.net:514]
sourcetype = syslog
connection_host = dns


# Set up SSL:

[SSL]
serverCert=$SPLUNK_HOME/etc/auth/server.pem
password=password
rootCA=$SPLUNK_HOME/etc/auth/cacert.pem
requireClientCert=false

[splunktcp-ssl:9996]


# Enable Windows Registry monitoring (Windows only)
# This example shows how to enable Windows Registry monitoring as a scripted input. 
# Because the Windows Registry can generate a high volume of events, Windows Registry monitoring 
# is also affected by two other configuration files, sysmon.conf and regmon.conf:
# * sysmon.conf contains global settings for which event types (adds, deletes, renames, and so on) 
# to monitor, which regular expression filters from the regmon-filters.conf file to use, and 
# whether or not Windows registry events are monitored at all.
# * regmon-filters.conf contains the specific regular expressions you create to refine and filter 
# the hive key paths you want Splunk to monitor.
# Splunk recommends that you refer to the documentation about Windows Registry monitoring at 
# http://www.splunk.com/base for more details.
# You must make the change shown below in inputs.conf in $SPLUNK_HOME/etc/system/local/. 
# You must restart Splunk to enable configurations. 

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py]
interval = 60
sourcetype = WinRegistry
source = WinRegistry
disabled = 0

# Enable WMI input (Windows only)
# This example shows how to enable WMI input as a scripted input.
# WMI input is also affected by configurations in wmi.conf. 
# Splunk recommends that you refer to the documentation about WMI input at http://www.splunk.com/base
# for more details.
# You must make this change in inputs.conf in $SPLUNK_HOME/etc/apps/windows/local/. 
# You must restart Splunk to enable configurations.

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.py]
disabled = 0


# Use file system change monitor:

[fschange:/etc/]
fullEvent=true
pollPeriod=60
recurse=true
sendEventMaxSize=100000
index=main 

# Monitor Windows event logs Security:

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_dc_name =
evt_dns_name =
evt_resolve_ad_obj = 1
checkpointInterval = 5

# Monitor Windows event logs ForwardedEvents:

[WinEventLog:ForwardedEvents]
disabled = 0
start_from = newest 
current_only = 1
checkpointInterval = 5

• Was this topic useful?
• Post a comment