Edit CrowdStrike data input

Edit a CrowdStrike input to update configuration parameters such as AWS credentials, SQS queue settings, or the destination index.

You can edit a CrowdStrike input to update configuration parameters such as AWS credentials, SQS queue settings, sensor event filters, device enrichment settings, or the destination index.

  1. Log in to Splunk Cloud and select Data Manager.
  2. In the Ingest inputs tab, select the CrowdStrike data input that you want to update.
  3. On the details section, select Edit.

    The input configuration form opens, displaying the current parameter values.

  4. Modify the parameters as needed:
    • Update AWS credentials if needed.
    • Change the SQS queue if your data source has changed.
    • Adjust visibility timeout or notification cutoff time.
    • Select a different destination index.
    • Change the sensor event filter. You can select a different shared filter, create a new filter, or edit the existing filter. When you edit a shared filter, the changes apply to all inputs that use it. Sensor event filter validation requires at least one filter value, a unique name, and a supported mode.
    • Turn device enrichment on or off. When device enrichment is turned on, select or create a CrowdStrike client configuration and optionally configure device property filters. When you edit a shared CrowdStrike client configuration, the changes apply to all inputs that use it.
    Note: You can edit an input even when its deployment status is failed. This allows you to correct configuration issues such as invalid credentials.
  5. Save the updated configuration.

    The system validates the new parameters and updates the input. If CrowdStrike credentials were changed, the deployment status will reflect the new validation results.

Monitor the deployment status to verify the changes were applied successfully.