Edit CrowdStrike data input

Edit a CrowdStrike input to update configuration parameters such as AWS credentials, SQS queue settings, or the destination index.

You can edit a CrowdStrike input to update configuration parameters such as AWS credentials, SQS queue settings, sensor event filters, device enrichment settings, or the destination index.

  1. Log in to Splunk Cloud and select the Data Inputs app.
  2. On the Data Inputs page, find the data input that you want to revise and select the Edit action.
  3. The input configuration form opens and displays the current parameter values. Modify the parameters as needed:
    • Update AWS credentials if needed.
    • Change the SQS queue if your data source has changed.
    • Adjust visibility timeout or notification cut off time.
    • Select a different destination index.
    • Change the sensor event filter. You can select a different shared filter, create a new filter, clone an existing filter, or edit the existing filter. When you edit a shared filter, the changes apply to all inputs that use it. If the assigned filter is read-only (system-preset), you cannot edit its fields, clone it first to create an editable copy. Sensor event filter validation requires at least one filter value, a unique name, and a supported mode. Data Inputs doesn't persist filter changes until you save the parent input.
    • Turn device enrichment on or off. When you turn on device enrichment, select or create a CrowdStrike client configuration and optionally configure device property filters. Device property filters operate in Enrich mode (Data Inputs includes all properties; specified ones receive additional enrichment) or Drop mode (Data Inputs includes all properties except specified ones). If the assigned device property filter is read-only (system-preset), you cannot edit its fields, clone it first to create an editable copy. Data Inputs doesn't persist device property filter changes until you save the parent input.
    • Edit the CrowdStrike API client configuration. You can edit the client globally from the input details page. Because multiple inputs can share the client, any change you make applies to all inputs that reference it. There is no clone option for the API client, only global edit is available. The client must have Hosts read access. If the secret is invalid or the scope is removed, you cannot save the input. Data Inputs doesn't persist API client changes until you save the parent input.
    Note: You can edit an input even when its deployment status is warning. This allows you to correct configuration issues, such as invalid credentials.
  4. Save the updated configuration.

    The system validates the new parameters and updates the input. If you changed CrowdStrike credentials, the deployment status reflects the new validation results.

    Once you save the input with valid credentials, the status returns to a healthy state automatically.

Monitor the deployment status to verify that the system applied your changes successfully.