

This capability also controls reading of other input endpoints.īy default, the admin_all_objects capability controls create and edit permissions for modular inputs. Read permission for modular input scripts is controlled by the list_inputs capability. Specify permissions for modular input scripts derives from the inputs stanza (for single script instance per input stanza mode) or the scheme name (for single script instance mode). The correct way to configure a persistent queue is to put the persistent queue parameters under each inputs stanza: Because each script produces its own stream, it can have its own persistent queue. In this mode, a script is spawned for each inputs stanza. There are differences depending on the type of modular input. You configure persistent queues for modular inputs much as you do with other inputs.

You can use persistent queues with modular inputs much as you do with TCP, UDP, FIFO, and scripted inputs, as described in Use persistent queues to help prevent data loss. You can configure persistent queues with modular inputs. You cannot modify the interval value for single script instance mode using the endpoint. If interval is set under a specific input stanza, that value is ignored.įor single script instance mode, interval cannot be an endpoint argument, even if it is specified in. Single script instance per input stanza modeįor single script instance per input stanza mode, each stanza can specify its own interval parameter.įor single script instance mode, Splunk Enterprise reads the interval setting from the scheme default stanza only. The interval parameter is also useful to ensure that a script restarts, even if a previous instance of the script exits unexpectedly.Įntering an empty value for interval results in a script only being executed on start and/or endpoint reload (on edit). The interval parameter specifies when the script restarts to perform the task again. The script performs a specific task and then exits. The interval parameter is useful for a script that performs a task periodically. The interval parameter specifies how long a script waits before it restarts. Use the interval parameter to schedule and monitor scripts. Param2 = p2 #from Configuration stanza Interval parameter Host = myHost #from Global default, overridden by Scheme default Here is the spec file for the Amazon S3 example.

The stanza definition and their parameters must start at the beginning of the line.A scheme must define at least one parameter.Subsequent definitions (a new scheme stanza) and their parameters are ignored. Modular inputs can only be defined once.Source sourcetype host index disabled interval persistentQueue persistentQueueSize queueSize However, you could specify these to help clarify the usage: Specifying any of the following parameters for your modular inputs has no effect. Some parameters are always implicitly defined.Do not use any of the following as scheme names for your modular inputs:īatch fifo monitor script splunktcp tcp udp Avoid name collision with built-in scheme names.The following regex defines valid identifiers for the scheme name (the name before the ://) and for parameters:.The spec file must be at the following location:.If you don't see any results, visit the Troubleshooting page for possible resolution.Here are some things to keep in mind when writing spec files: Run a search and confirm that you see results from the forwarder that you set up the data inputs on:.On the receiving indexer, log in and load the Search and Reporting app.Once you have added your inputs, save the file and close it.You might need to create this file if it does not exist. Using your operating system file management tools or a shell or command prompt, navigate to $SPLUNK_HOME/etc/system/local.Whenever you make a change to a configuration file, you must restart the forwarder for the change to take effect. When you upgrade, the installation overwrites that file, which removes any changes you made. For example, if you have the Splunk Add-on for Unix and Linux installed, you would make edits in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/nf.ĭo not make changes to the nf in $SPLUNK_HOME/etc/system/default. If you have an app installed and want to make changes to its input configuration, edit $SPLUNK_HOME/etc/apps//local/nf. In nearly all cases, edit nf in the $SPLUNK_HOME/etc/system/local directory. You can configure data inputs on a forwarder by editing the nf configuration file. Configure data collection on forwarders with nf
