Splunk® Enterprise

Developing Views and Apps for Splunk Web

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Modular inputs configuration

This topic describes several ways to define configuration for modular inputs. It includes the following:

  • How to create and edit the inputs.conf.spec file for modular inputs.
  • Splunk's configuration layering for modular inputs
  • Specifying permissions to access modular input apps

Create a modular input spec file

Splunk requires specific locations for all spec files. For modular inputs, the spec file is located in a README directory of the Splunk app implementing the modular input.

$SPLUNK_HOME/etc/apps/<myapp>/README/inputs.conf.spec

The location of script referenced in the spec file is here:

$SPLUNK_HOME/etc/apps/<myapp>/bin/<myscript>

Structure of a Splunk spec file

Splunk provides numerous spec files that it uses to configure and access a Splunk server. These default spec files are heavily commented and includes examples on how to configure Splunk.

However, the structure of a spec file is quite basic. it only requires the following elements:

  • stanza header (one or more)
  • param values (one or more for each stanza)

The following shows a minimal inputs.conf.spec file. In this file, the values for the parameters are not present. These are not required. If present, Splunk ignores them. Additionally, the <name> element in the stanza header is ignored by Splunk.

Sample inputs.conf.spec file

[myscript://<name>]
param1 =

Writing valid spec files

Here are some things to keep in mind when writing spec files:

  • The inputs.conf.spec spec file must be at the following location:
$SPLUNK_HOME/etc/apps/<app_name>/README/
  • The following regex defines valid identifiers for the scheme name (the name before the ://) and for parameters:
[0-9a-zA-Z][0-9a-zA-Z_-]*
  • Avoid name collision with Splunk built-in scheme names. Do not use any of the following as scheme names for your modular inputs:
batch
fifo
monitor
script
splunktcp
tcp
udp
  • Some parameters are always implicitly defined by Splunk. Specifying any of the following parameters for your modular inputs has no effect. However, you could specify these to help clarify the usage:
source
sourcetype
host
index
disabled
  • Avoid using interval as a parameter. This parameter is reserved by Splunk for future use.
  • Modular inputs can only be defined once. Splunk ignores subsequent definitions (a new scheme stanza) and their parameters.
  • A scheme must define at least one parameter. Duplicate parameters are ignored.
  • The stanza definition and their parameters must start at the beginning of the line.

Spec file example

Here is the spec file for the Amazon S3 example.

S3 inputs.conf.spec file

[s3://<name>]
key_id = <value>
* This is Amazon key ID.

secret_key = <value>
* This is the secret key.

Configuration layering for modular inputs

As described in Configure Splunk in the Admin manual, Splunk uses configuration layering across inputs.conf files in your system. Each modular input scheme gets a separate default stanza in inputs.conf.

After Splunk layers the configurations, the configuration stanza for a modular input (myScheme://aaa) inherits values from the global default and scheme default configurations. This contrasts with how configuration in Splunk generally works – typically a configuration stanza only inherits from the global default configuration.

For example, consider the following inputs.conf files in a system:

Global default
.../etc/system/local/inputs.conf

[default]
x = y
index = default
host = myHost

Scheme default
.../etc/apps/myApp/default/inputs.conf

[myScheme]
host = myOtherHost
param1 = p1

Configuration stanza
.../etc/apps/search/local/inputs.conf

[myScheme://aaa]
param2 = p2

Here is how Splunk builds the layered configuration:

  1. First apply the values for index and host from the global default*
  2. Then, apply values from scheme default, overriding any values previously set
  3. Finally, apply values from configuration stanza, overriding any values previously set

*In a typical Splunk installation the values for index and host from the global default configuration apply to all inputs. Other values in the global default configuration are not applied.

The layered outcome of the above configuration example is:

Layered configuration example

[myScheme://aaa]
index = default       #from Global default
host = myHost         #from Global default, overridden by Scheme default
host = myOtherHost    #from Scheme default
param1 = p1           #from Scheme default
param2 = p2           #from Configuration stanza

Specify permissions for modular input scripts

Read permission for modular input scripts is controlled by the Splunk list_inputs capability. This capability also controls reading of other Splunk input endpoints.

By default, the Splunk admin_all_objects capability controls create and edit permissions for modular inputs. However, you have the option to create a Splunk capability that customizes edit and create permissions for any specific modular input scheme. If the custom capability for a modular input is present, Splunk applies the custom capability rather than the default admin_all_objects capability.

The custom capability for modular inputs takes the following form:

edit_modinput_myscheme

After creating the capability for a modular input, enable it for one or more Splunk user roles.

Caution: Make sure you assign one or more roles for the capability edit_modinput_myscheme, otherwise no one can create or edit modular inputs for that scheme.

To create a custom capability and assign roles edit the authorize.conf configuration file. For example, to create a custom create and edit capability for the MyScheme modular input, and then enable it for the admin and power roles, do the following:

$SPLUNK_HOME/etc/apps/<app_name>/default/authorize.conf

[capability::edit_modinput_MyScheme]

[role_admin]
edit_modinput_MyScheme = enabled

[role_power]
edit_modinput_MyScheme = enabled

For more information on Splunk roles and capabilities, refer to:

PREVIOUS
Set up streaming
  NEXT
Create a custom user interface

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters