Modular inputs configuration
This topic describes several ways to define configuration for modular inputs. It includes the following:
- How to create and edit the
inputs.conf.specfile for modular inputs.
- Splunk's configuration layering for modular inputs
- Specifying permissions to access modular input apps
Create a modular input spec file
Splunk requires specific locations for all spec files. For modular inputs, the spec file is located in a
README directory of the Splunk app implementing the modular input.
The location of script referenced in the spec file is here:
Structure of a Splunk spec file
Splunk provides numerous spec files that it uses to configure and access a Splunk server. These default spec files are heavily commented and includes examples on how to configure Splunk.
However, the structure of a spec file is quite basic. it only requires the following elements:
- stanza header (one or more)
- param values (one or more for each stanza)
The following shows a minimal inputs.conf.spec file. In this file, the values for the parameters are not present. These are not required. If present, Splunk ignores them. Additionally, the <name> element in the stanza header is ignored by Splunk.
Sample inputs.conf.spec file
Writing valid spec files
Here are some things to keep in mind when writing spec files:
inputs.conf.specspec file must be at the following location:
- The following regex defines valid identifiers for the scheme name (the name before the
://) and for parameters:
- Avoid name collision with Splunk built-in scheme names. Do not use any of the following as scheme names for your modular inputs:
- Some parameters are always implicitly defined by Splunk. Specifying any of the following parameters for your modular inputs has no effect. However, you could specify these to help clarify the usage:
- Avoid using
intervalas a parameter. This parameter is reserved by Splunk for future use.
- Modular inputs can only be defined once. Splunk ignores subsequent definitions (a new scheme stanza) and their parameters.
- A scheme must define at least one parameter. Duplicate parameters are ignored.
- The stanza definition and their parameters must start at the beginning of the line.
Spec file example
Here is the spec file for the Amazon S3 example.
S3 inputs.conf.spec file
[s3://<name>] key_id = <value> * This is Amazon key ID. secret_key = <value> * This is the secret key.
Configuration layering for modular inputs
As described in Configure Splunk in the Admin manual, Splunk uses configuration layering across
inputs.conf files in your system. Each modular input scheme gets a separate default stanza in
After Splunk layers the configurations, the configuration stanza for a modular input (
myScheme://aaa) inherits values from the global default and scheme default configurations. This contrasts with how configuration in Splunk generally works – typically a configuration stanza only inherits from the global default configuration.
For example, consider the following
inputs.conf files in a system:
[default] x = y index = default host = myHost
[myScheme] host = myOtherHost param1 = p1
[myScheme://aaa] param2 = p2
Here is how Splunk builds the layered configuration:
- First apply the values for index and host from the global default*
- Then, apply values from scheme default, overriding any values previously set
- Finally, apply values from configuration stanza, overriding any values previously set
*In a typical Splunk installation the values for index and host from the global default configuration apply to all inputs. Other values in the global default configuration are not applied.
The layered outcome of the above configuration example is:
index = default #from Global default
host = myHost #from Global default, overridden by Scheme default
host = myOtherHost #from Scheme default
param1 = p1 #from Scheme default
param2 = p2 #from Configuration stanza
Specify permissions for modular input scripts
Read permission for modular input scripts is controlled by the Splunk
list_inputs capability. This capability also controls reading of other Splunk input endpoints.
By default, the Splunk
admin_all_objects capability controls create and edit permissions for modular inputs. However, you have the option to create a Splunk capability that customizes edit and create permissions for any specific modular input scheme. If the custom capability for a modular input is present, Splunk applies the custom capability rather than the default
The custom capability for modular inputs takes the following form:
After creating the capability for a modular input, enable it for one or more Splunk user roles.
- Caution: Make sure you assign one or more roles for the capability
edit_modinput_myscheme, otherwise no one can create or edit modular inputs for that scheme.
To create a custom capability and assign roles edit the
authorize.conf configuration file. For example, to create a custom create and edit capability for the MyScheme modular input, and then enable it for the admin and power roles, do the following:
[capability::edit_modinput_MyScheme] [role_admin] edit_modinput_MyScheme = enabled [role_power] edit_modinput_MyScheme = enabled
For more information on Splunk roles and capabilities, refer to:
Set up streaming
Create a custom user interface
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18