inputs.conf
The following are the spec and example files for inputs.conf.
inputs.conf.spec
# This file contains possible settings you can use to configure ITSI inputs, register
# user access roles, and import services and entities from CSV files or search strings.
#
# There is an inputs.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/default. To set custom
# configurations, place an inputs.conf in $SPLUNK_HOME/etc/apps/SA-ITOA/local.
# You must restart ITSI to enable new configurations.
#
# To learn more about configuration files (including precedence), see the
# documentation located at
# http://docs.splunk.com/Documentation/ITSI/latest/Configure/ListofITSIconfigurationfiles
GLOBAL SETTINGS
# Use the [default] stanza to define any global settings.
# * You can also define global settings outside of any stanza, at the top of
# the file.
# * Each conf file should have at most one default stanza. If there are
# multiple default stanzas, settings are combined. In the case of
# multiple definitions of the same setting, the last definition in the
# file wins.
# * If a setting is defined at both the global level and in a specific
# stanza, the value in the specific stanza takes precedence.
# log_level = <DEBUG|INFO|WARN|ERROR>
# * This setting sets the logging level of each modular input.
# * Logging levels are in order of most to least verbose.
# * The logging level describes the type and/or quantity of output
# that an application writes to a log file.
# * Set the logging verbosity of each modular input to specify how
# much and what kind of information it writes to the log file.
# * Setting a log level gets you messages at that level and higher,
# so default settings are typically INFO or WARN.
[itsi_user_access_init]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_user_access_init://<name>]
* A modular input that runs once during startup (or at the user's request)
to register user access roles and capabilities with the SA-UserAccess module.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: WARN
app_name = <name>
* The Splunk application that has the user access roles and capabilities.
* Default: itsi
registered_capabilities = [true|false]
* Indicates whether or not capabilities have already been registered with ITSI.
* If true, the 'itsi_user_access_init' input does not re-register capabilities.
* If false, 'itsi_user_access_init' registers ITSI capabilities again.
* Default: false
[configure_itsi]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[configure_itsi://<name>]
* A configuration input that runs once (or at the user's request) to pull
entities from the configuration file system into the App Key Value (KV) Store.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: WARN
is_configured = ""
* Left it for backwards compatibility.
[itsi_csv_import]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_csv_import://<string>]
* A modular input that periodically uploads CSV data into the KV Store.
* The CSV file must contain headers for the import to work properly.
* This input runs every 4 hours or after a Splunk software restart.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: WARN
import_from_search = <boolean>
* Indicates whether to import data from a CSV file or a Splunk search.
* If "true", this input imports data from the search specified by 'search_string'.
* If "false", this input imports CSV data from the path specified by 'csv_location'.
* This setting is required, and the input does not run if the setting is
not present.
* There is no default.
csv_location = <path>
* The location on disk of the CSV file to import.
* NOTE: The disk must be local to the search head. Cloud storage is unacceptable.
* This setting is required if you import data from a CSV file
(if you set 'import_from_search' to "false").
* There is no default.
search_string = <string>
* The Splunk search string that generates the data to import.
* This setting is required if you import from a search string
(if you set 'import_from_search' to "true").
* There is no default.
service_security_group = <string>
* The ITSI team that the imported services belong to.
* Use teams to group services by department, organization, or
type of service and control access to the services.
* This setting is required, and the input does not run if the setting is
not present.
* There is no default.
index_earliest = <integer>
* Specify the earliest _indextime, in minutes, for the time range of your search.
* This setting is required if you import from a search string
(if you set 'import_from_search' to "true").
* Default: -15m
index_latest = <integer>
* Specify the latest _indextime, in minutes, for the time range of your search.
* This setting is required if you import from a search string
(if you set 'import_from_search' to "true").
* Default: now
entity_title_field = <string>
* The column name in the CSV file, or the field in the search, to import
the entity title from.
* This field serves as the informal identifier of the entity.
* There is no default.
entity_merge_field = <string>
* The column name in the CSV file, or the field in the search, to import
the entity merge field from.
* There is no default.
entity_relationship_spec = <dict>
* A dictionary of key:value pairs that specifies how
'entity_title_field' associates with other fields and in what relationship.
* NOTE: This setting is unused.
* For example,
{"hosts": "vm1, vm2", "hostedBy": "host_id"}, or
{"hosts": ["vm1", "vm2"], "hostedBy": "host_id"}.
* For a record that has values for fields: vm1, vm2, host_id,
<'entity_title_field' value>, three relationships are extracted:
<value for 'entity_title_field'> hosts <value for vm1>
<value for 'entity_title_field'> hosts <value for vm2>
<value for 'entity_title_field'> hostedBy <value for host_id>
* There is no default.
selected_services = <comma-separated list>
* A list of existing services to associate the imported entities with.
* DEPRECATED.
* There is no default.
service_rel = <comma-separated list>
* A list of existing service relationships.
* DEPRECATED.
* Use this setting to represent service dependencies in ITSI.
* There is no default.
service_dependents = <comma-separated list>
* A list of child columns in the CSV file, or child fields in the search,
that indicate service dependencies.
* There is no default.
entity_service_columns = <comma-separated list>
* A list of services found in the CSV file or search that are to be
associated with the entity for the row.
* DEPRECATED.
* There is no default.
entity_identifier_fields = <comma-separated list>
* A list of columns found in the CSV file or fields in the search
that identify the entities (entity aliases).
* There is no default.
entity_description_column = <comma-separated list>
* A list of columns found in the CSV file or fields in the search
that describe the entities.
* There is no default.
entity_informational_fields = <comma-separated list>
* A list of informational columns in the CSV file or fields in the search.
* These are non-identifying fields for the entities.
* There is no default.
entity_field_mapping = <key-value pairs>
* A key-value mapping of fields to re-map to other fields in your data.
* Follows a <CSV field> = <Splunk search field> format.
* For example, ip1 = dest, ip2 = dest, storage_type = volume
* Use this setting to rename a field or column to an alias or info value.
* There is no default.
service_title_field = <string>
* The field to import the service title from.
* This field is the informal identifier of the service.
* There is no default.
* This setting is required if you import services.
service_description_column = <comma-separated list>
* A list of columns in the CSV file or fields in the search
that describe the services.
* There is no default.
service_tags_field = <comma-separated list>
* A list of columns in the CSV file or fields in the search
that add descriptor tags to the services.
* There is no default.
service_enabled = <boolean>
* Whether or not imported services are enabled.
* Default: false
service_template_field = <string>
* This setting determines which service template a service is linked to.
* There is no default.
template = <dict>
* A dictionary of key:value pairs that maps entity rules to service templates.
* For example,
{"test_template_2":{"entity_rules":[{"rule_items":
[{"rule_type":"matches","field_type":"alias","field":"whoa","value":"doe"}],
"rule_condition":"AND"}]},"test_template_1":{"entity_rules":[{"rule_items":
[{"rule_type":"matches","field_type":"alias","field":"blah","value":"da"}],
"rule_condition":"AND"}]}}
* CAUTION: Do not change this setting.
* There is no default.
backfill_enabled = <boolean>
* This setting determines whether to enable backfill on all
Key Performance Indicators (KPIs) in linked service templates.
* Backfill is the process of getting historical KPI data.
* ITSI backfills the KPI summary index (itsi_summary). You must have
indexed adequate raw data for the backfill period.
* There is no default.
update_type = <APPEND|UPSERT|REPLACE>
* The update/insertion method when uploading entities.
* This setting is required, and the input will not run if the setting is
not present.
* APPEND: ITSI makes no attempt to identify commonalities between entities.
All information is appended to the table.
* UPSERT: ITSI appends new entries. Existing entries (based on the value
found in the title_field) have additional information appended
to the existing record.
* REPLACE: ITSI appends new entries. Existing entries (based on the value
found in the title_field) are replaced by the new record value.
* There is no default.
interval = <integer>
* The interval, in seconds, that determines how often this input runs.
* There is no default.
[itsi_async_csv_loader]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_async_csv_loader://<name>]
* A modular input that periodically uploads CSV data into the KV store.
* The file must contain headers for the import to work properly.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: WARN
import_from_search = <boolean>
* Indicates whether to import data from a CSV file or a Splunk search.
* If "true", this input imports data from the search specified by 'search_string'.
* If "false", this input imports CSV data from the path specified by 'csv_location'.
* This setting is required, and the input does not run if the setting is
not present.
* There is no default.
csv_location = <path>
* The location on disk of the CSV file to import.
* NOTE: The disk must be local to the search head. Cloud storage is unacceptable.
* This setting is required if you import data from a CSV file
(if you set 'import_from_search' to "false").
* There is no default.
search_string = <string>
* The Splunk search string that generates the data to import.
* This setting is required if you import from a search string
(if you set 'import_from_search' to "true").
* There is no default.
index_earliest = <integer>
* Specify the earliest _indextime, in minutes, for the time range of your search.
* This setting is required if you import from a search string
(if you set 'import_from_search' to "true").
* Default: -15m
index_latest = <integer>
* Specify the latest _indextime, in minutes, for the time range of your search.
* This setting is required if you import from a search string
(if you set 'import_from_search' to "true").
* Default: now
entity_title_field = <string>
* The column name in the CSV file, or the field in the search, to import
the entity title from.
* This field serves as the informal identifier of the entity.
* There is no default.
entity_merge_field = <string>
* The column name in the CSV file, or the field in the search, to import
the entity merge field from.
* There is no default.
entity_relationship_spec = <dict>
* A dictionary of key:value pairs that specifies how
'entity_title_field' associates with other fields and in what relationship.
* NOTE: This setting is unused.
* For example,
{"hosts": "vm1, vm2", "hostedBy": "host_id"}, or
{"hosts": ["vm1", "vm2"], "hostedBy": "host_id"}.
* For a record that has values for fields: vm1, vm2, host_id,
<'entity_title_field' value>, three relationships are extracted:
<value for 'entity_title_field'> hosts <value for vm1>
<value for 'entity_title_field'> hosts <value for vm2>
<value for 'entity_title_field'> hostedBy <value for host_id>
* There is no default.
selected_services = <comma-separated list>
* A list of existing services to associate the imported entities with.
* DEPRECATED.
* There is no default.
service_rel = <comma-separated list>
* A list of existing service relationships.
* DEPRECATED.
* Use this setting to represent service dependencies in ITSI.
* There is no default.
service_dependents = <comma-separated list>
* A list of child columns in the CSV file, or child fields in the search,
that indicate service dependencies.
* There is no default.
entity_service_columns = <comma-separated list>
* A list of services found in the CSV file or search that are to be
associated with the entity for the row.
* DEPRECATED.
* There is no default.
entity_identifier_fields = <comma-separated list>
* A list of columns found in the CSV file or fields in the search
that identify the entities (entity aliases).
* There is no default.
entity_description_column = <comma-separated list>
* A list of columns found in the CSV file or fields in the search
that describe the entities.
* There is no default.
entity_informational_fields = <comma-separated list>
* A list of informational columns in the CSV file or fields in the search.
* These are non-identifying fields for the entities.
* There is no default.
entity_field_mapping = <key-value pairs>
* A key-value mapping of fields to re-map to other fields in your data.
* Follows a <CSV field> = <Splunk search field> format.
* For example, ip1 = dest, ip2 = dest, storage_type = volume
* Use this setting to rename a field or column to an alias or info value.
* There is no default.
service_title_field = <string>
* The field to import the service title from.
* This field is the informal identifier of the service.
* There is no default.
* This setting is required if you import services.
service_description_column = <comma-separated list>
* A list of columns in the CSV file or fields in the search
that describe the services.
* There is no default.
service_tags_field = <comma-separated list>
* A list of columns in the CSV file or fields in the search
that add descriptor tags to the services.
* There is no default.
update_type = <APPEND|UPSERT|REPLACE>
* The update/insertion method when uploading entities.
* This setting is required, and the input will not run if the setting is
not present.
* APPEND: ITSI makes no attempt to identify commonalities between entities.
All information is appended to the table.
* UPSERT: ITSI appends new entries. Existing entries (based on the value
found in the title_field) have additional information appended
to the existing record.
* REPLACE: ITSI appends new entries. Existing entries (based on the value
found in the title_field) are replaced by the new record value.
* There is no default.
[itsi_migration_queue]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_migration_queue://<name>]
* A modular input that checks the ITSI migration queue
* If the queue is not empty, start a migration with params stored in the queue.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_refresher]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_refresher://<name>]
* A modular input that processes deferred methods using a single queue processor.
* Tracks relational objects and dependencies.
* This input detects conflicts and ensures consistency across ITSI.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_consumer]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_consumer://<name>]
* A modular input that processes deferred methods using multiple queues
across the Splunk environment.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
number_of_thread = <integer>
* Number of threads enabled for certain refresh queue jobs.
* 0 or 1 means a single thread.
* Default: 8
[itsi_backup_restore]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_backup_restore://<name>]
* A modular input that performs backup and restore operations by
managing backup/restore jobs.
* If you restore ITSI from a backup of an older version of ITSI,
migration begins during the restore process.
* The input runs runs every 5 seconds to check for the scheduled job.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_scheduled_backup_caller]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_scheduled_backup_caller://<name>]
* A modular input that manages ITSI backup schedules.
* For example, you might use this input if you want to back up ITSI
every night at 1 am.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_service_template_update_scheduler]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_service_template_update_scheduler://<name>]
* A modular input that performs a scheduled sync from
service templates to services every 15 minutes.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_backfill]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_backfill://<name>]
* A modular input that manages KPI backfill jobs.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_notable_event_archive]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_notable_event_archive://<name>]
* A modular input that moves notable events from the KV store
to the index every hour.
owner = <string>
* Splunk cannot read the modular name unless a parameter is specified.
Therefore, ITSI passes 'owner = <string>'.
[maintenance_minder]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[maintenance_minder://<name>]
* A modular input that runs every 60 seconds and populates
the operative maintenance log based on configured maintenance windows.
* This input is responsible for putting services into maintenance mode.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_default_aggregation_policy_loader]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_default_aggregation_policy_loader://<name>]
* A modular input that loads the default aggregation policy.
* The default aggregation policy receives notable events that do
not match the filtering criteria of any other aggregation policies.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_default_correlation_search_acl_loader]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_default_correlation_search_acl_loader://<name>]
* A modular input that loads the Access Control List (ACL)
for the default correlation searches provided with ITSI:
"Monitor Critical Services Based on Health Score",
"Splunk App for Infrastructure Alerts", and
"Normalized Correlation Search".
* This input pulls ACL information from the KV store.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_notable_event_hec_init]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_notable_event_hec_init://<name>]
* A modular input that initializes HEC client on a search head by creating and
showing pertinent HEC tokens.
* A new HEC token is acquired during a Splunk restart.
* The internal system populates the new HEC token automatically.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_notable_event_actions_queue_consumer]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_notable_event_actions_queue_consumer://name]
* A modular input that acts as a consumer of the queue for executing
notable event actions, such as pinging a host or running a script.
* This setting is primarily used by the rules engine.
exec_delay_time = <integer>
* The amount of time, in seconds, to delay execution of a notable event action.
* Default: 0
batch_size = <integer>
* The number of jobs to pick up in a single request from the
notable event actions queue.
* Default: 5
timeout = <integer>
* The timeout period, in seconds, that ITSI uses when a
user reclaims an expired job.
* Default: 7200 (2 hours)
system_user_name = <string>
* The username of the system.
* Default: splunk-system-user
[itsi_entity_exchange_consumer]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_entity_exchange_consumer://name]
* A modular input that consumes entities from the entity exchange module.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of the modular input.
* Default: DEBUG
interval = <value>
* The interval, in seconds, at which the modular input should run.
* Optional
* Default: 300 (5 minutes)
[itsi_age_kpi_alert_value_cache]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_age_kpi_alert_value_cache://<name>]
* A modular input that cleans up the aged entries in the KPI summary cache.
retentionTimeInSec = <integer>
* Aging/retention time for entries present in the KPI summary cache.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
[itsi_summary_metrics_backfill]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_summary_metrics_backfill://<name>]
* A modular input that migrates data from the itsi_summary index to the
itsi_summary_metrics index by checking the metrics_backfill queue.
disabled = <boolean>
* Whether or not the modular input for metrics backfill is disabled
* Default : 1
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
metrics_backfill_throttle = <integer>
* The amount of time, in seconds, that the backfill function pauses between executing metrics backfill searches.
* Default: 10
metrics_backfill_length = <integer>
* The amount of time, in days, that the metrics backfill searches look back to migrate data
into the itsi_summary_metrics index.
* Default: 3
metrics_backfill_concurrent_searches = <integer>
* The number of concurrent searches the backfill function runs at the same time. Having more
concurrent searches allows backfill searches to complete faster but puts more load on the indexers.
[itsi_suite_enforcer]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_suite_enforcer://<name>]
* A modular input that enforces suite editions.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
interval = <integer>
* The interval, in seconds, that determines how often this input runs.
* There is no default.
[itsi_backfill_record_cleanup]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
[itsi_backfill_record_cleanup://<name>]
* A modular input that enforces suite editions.
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
interval = <integer>
* The interval, in seconds, that determines how often this input runs.
* There is no default.
[itsi_exported_episode_files_cleaner]
python.version = {default|python|python2|python3}
* In Splunk Enterprise version 8.0 and later, this attribute lets you select
which Python version to use.
interval = <integer>
* The interval, in seconds, that determines how often this input runs. By default it runs every day.
* Default: 86400
[itsi_exported_episode_files_cleaner://name]
log_level = <DEBUG|INFO|WARN|ERROR>
* The logging level of this input.
* Default: INFO
inputs.conf.example
No example