Skip to content

Commit d476875

Browse files
pjanottipjanotti
authored
Add modular input primer (#5971)
1 parent 9f57a2d commit d476875

File tree

1 file changed

+42
-0
lines changed
  • packaging/dotnet-instr-deployer-add-on

1 file changed

+42
-0
lines changed

packaging/dotnet-instr-deployer-add-on/README.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,48 @@ provided by Git for Windows. Check the [Makefile](./Makefile) for the available
4040
targets - use the `build-pack` target to generate the technical add-on under
4141
`./out/distribution`.
4242

43+
### Splunk Modular Input Primer
44+
45+
This section is a very brief introduction to the general architecture of a
46+
Splunk Modular Input. In the Splunk documentation there is some overlap with
47+
a Splunk App and Splunk Add-on.
48+
49+
A Splunk Modular Input is shipped as a `.tgz` file with a specific [directory
50+
structure](https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsBasicExample)
51+
in which the root directory is the name of the modular input.
52+
53+
The directory structure will contain [platform and architecture](https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsoverview/#Platform-and-architecture-support)
54+
specific paths for the modular _script_, which can be an binary executable,
55+
Python source file, or a platform native script, e.g.: `cmd` on Windows or
56+
`sh` on Linux.
57+
58+
The modular input script is invoked by the Splunk host process, `splunkd`, and
59+
it is expected to read the input configuration from `stdin` and support the
60+
[three execution modes specified via the command line](https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsexamples/#Script-routines).
61+
The modular input must implement the `--scheme` or `--validate-arguments`
62+
modes. At minimum the modular input script should set its exit code to 0
63+
when executed with either parameter.
64+
65+
The _Execution_ mode is when the modular input is doing the actual work and
66+
the Splunk host process is going to send the input configuration as an XML
67+
document to the modular input script's `stdin`. This XML is generated from the
68+
`<modular_input>/default/inputs.conf` file and with overrides at the
69+
`<modular_input>/local/inputs.conf` file. The schema for the modular input
70+
is defined in the `<modular_input>/README/inputs.conf.spec` file and the
71+
general documentation for the `inputs.conf.spec` is available
72+
[here](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf).
73+
The actual XML sent by the Splunk host can be obtained by following the
74+
instructions in the [Splunk documentation](https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsexamples/#Testing-the-script).
75+
76+
Depending on the definition of the modular input, the script can be invoked
77+
periodically or just once per start of the Splunk host process. In order for
78+
configuration changes to take effect you should restart the Splunk host
79+
process.
80+
81+
When Splunk process needs the modular input script to terminate it will send
82+
the following signal to the process: `SIGTERM` on Unix-like systems and
83+
`CTRL_BREAK` on Windows.
84+
4385
### Sources
4486

4587
#### `./assets/`

0 commit comments

Comments
 (0)