Create a setup screen to modify conf files

From Splunk Wiki

Jump to: navigation, search

You create a setup screen for your app by placing a setup.xml file in your $SPLUNK_HOME/etc/apps/<app_name>/default/ directory. See Configure a setup screen for your app] in the official Splunk documentation for more about setup.xml, including the setup.xml syntax.

This topic describes how to configure setup.xml to modify the configuration files in your app's $SPLUNK_HOME/etc/apps/<app_name>/default directory -- for example, let users add or modify saved searches, or enable and disable scripted inputs and set a polling time. setup.xml modifies .conf files using Splunk's REST endpoints. Most configuration files have one or more endpoints, relative to https://localhost:8089/servicesNS/nobody/<app_name>/.

Warning: Splunk's REST endpoints are not regularly tested and are subject to developer drift. The examples here worked at the time this page was written, but they are not supported and there is no guarantee that they will continue to work.

When you use setup.xml to modify a configuration file:

  • endpoint directly or indirectly specifies the configuration file to modify. Most of the configuration files within Splunk have one or more corresponding endpoints (although they are not "certified"). For example, inputs.conf has a number of corresponding endpoints, including admin/monitor (for monitored files), admin/script (scripted inputs), etc.
  • entity specifies the stanza to modify in the configuration file.
  • field specifies the attribute within the stanza to modify.

The setup process uses the existing values in the configuration files as the initial values for populating the setup screen.

basic configuration

The following example does the following:

  • uses the admin/savedsearch endpoint (relative to https://localhost:8089/servicesNS/nobody/<app_name>/) to update "My Saved Search" in savedsearches.conf
  • uses the admin/script endpoint to enable a scripted input and set the polling interval.

The setup screen looks like this:


Here are the configuration files you want to modify. The .conf files and stanza(s) you want to modify must already exist. (See below for how to create a new object in an existing .conf file).


[My Saved Search]
search = sourcetype=access_* ( 404 OR 500 OR 503 ) 
is_scheduled = 1
dispatch.earliest_time = -1d


interval = 60
sourcetype = customsourcetype
source = customsource
disabled = 1


Here's the setup.xml that modifies these files.

  <block title="Saved search: Web Server Errors" endpoint="admin/savedsearch" entity="My Saved Search">
    <input field="dispatch.earliest_time">
      <label>Set default time span for search (for example, -6h is 6 hours)</label>
  <block title="My Scripted Input" endpoint="admin/script" entity="">
    <input field="interval">
      <label>Polling Interval (sec)</label>
    <input field="enabled">


setup.xml has two modes you can use to expose multiple stanzas to the user, based on a regex in the entity definition.

bulk mode

mode="bulk" configures all the entities under a given endpoint that match a regex:

<block title="Schedule Searches" endpoint="admin/savedsearch" entity="*" mode="bulk">
    <input entity="*" field="is_scheduled" mode="bulk">
      <label>Enable scheduling for all searches</label>


iterative mode

mode="iter" iterates over all entities that match a regex and lets the user configure them separately.

	<block title="Enable searches" endpoint="admin/savedsearch">
	  <input entity="*" mode="iter" field="is_scheduled">
	    <label>Enable $name$</label>


new objects

You can create a new stanza by setting entity='_new'. You then create an entry box for each field you want by setting field=<fieldname>. The file you want to modify must exist.

For example, use the following XML to allow users to create a new saved search:


 <block title="Create a new saved search" endpoint="admin/savedsearch" entity="_new">
   <input field="name">
   <input field="search">
Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk