Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

input

Description

Adds or disables sources from being processed by the search. Enables or disables inputs in inputs.conf with optional sourcetype and index settings. Any additional attribute=values are added to inputs.conf. The input command is generally to be used in conjunction with the crawl command. If you have Splunk Enterprise, you can view the log of changes to inputs in the following file: $SPLUNK_HOME/var/log/splunk/inputs.log.

Syntax

input (add | remove) [sourcetype=string] [index=string] [string=string]...

Optional arguments

sourcetype
Datatype: <string>
Description: When adding a new input, label the input so the data it acquires uses this sourcetype.
index
Datatype: <string>
Description: When adding a new input, label the input so the data it acquires is sent to this index. Make sure this index exists.
string
Datatype: <string>
Description: Used to specify custom user fields.

Examples

Example 1:

Remove all csv files that are currently being processed

| crawl | search source=*csv | input remove

Example 2:

Add all sources found in Bob's home directory to the 'preview' index with sourcetype=text, setting custom user fields 'owner' and 'name'

| crawl root=/home/bob/txt | input add index=preview sourcetype=text owner=bob name="my nightly crawl"

Example 3:

Add each source found by crawl in the default index with automatic source classification (sourcetyping)

| crawl | input add

See also

crawl

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the input command.

PREVIOUS
iconify
  NEXT
inputcsv

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.3, 6.0.4, 6.0.5, 6.0.2, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.10, 6.2.11, 4.3.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 6.2.13, 6.2.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters