ksconf attr-set

Set a specific stanza and attribute value of a Splunk .conf file. The value can be provided as a command line argument, file, or environment variable

This command does not support preserving leading or trailing whitespace. Normally this is desireable.

usage: ksconf attr-set [-h] --stanza STANZA --attribute ATTR
                       [--value-type TYPE] [--create-missing] [--no-overwrite]
                       conf value

Positional Arguments


Configuration file to update.


Value to apply to the conf file. Note that this can be a raw text string, or the name of the file, or an environment variable

Named Arguments

--stanza, -s

Name of the stanza within CONF to set.

--attribute, --attr, -a

Name of the attribute within STANZA to set.

--value-type, -t

Possible choices: string, file, env

Select the type of VALUE. The default is a string. Alternatively, the real value can be provided within a file, or an environment variable.


Create a new conf file if it doesn’t currently exist.


Only set VALUE if none currently exists. This can be used to safely set a one-time default, but don’t update overwrite an existing value.


Update build during CI/CD

ksconf attr-set build/default.app -s launcher -a version 1.1.2
ksconf attr-set build/default.app -s launcher -a build --value-type env GITHUB_RUN_NUMBER

Rewrite a saved search to match the new cooperate initiative to relabel all “CRITICAL” messages as “WHOOPSIES”.

ksconf attr-get savedsearches.conf -s "Internal System Errors" -a search \
    | sed -re 's/CRITICAL/WHOOPSIES/g' \
    | ksconf attr-set savedsearches.conf -s "Internal System Errors" -a search --value-type file -


What if you want to write multiple stanza/attributes at once?

Of course it’s possible to call ksconf attr-set multiple times, but that may be awkward or inefficient if many updates are needed. In the realm of shell scripting, another option is to use ksconf merge which is designed to merge multiple stanzas, or even multiple files, at once. With a little bit of creatively, it’s possible to add (or update) and entire new stanza in-line using a single command like so:

printf '[drop_field(1)]\ndefinition=| fields - $field$\nargs=field\niseval=0\n' \
    | ksconf merge --in-place --target macros.conf -

# which is identical to:
ksconf merge --in-place --target macros.conf \
    <(printf '[drop_field(1)]\ndefinition=| fields - $field$\nargs=field\niseval=0\n')

Of course, neither of these are super easy to read. If your content is static, then an easy answer it to use a static conf file. However, at some point it may be easier to just edit these using Python where any arbitrary level of complexity is possible.

Ksconf has some built in utility functions to make this kind of simple update-in-place workflow super simple. For example, the update_conf context manager allows access to existing conf values and quick modification. If no modification is necessary, then the file is left untouched.

from ksconf.conf.parser import update_conf, conf_attr_boolean

# Update app.conf for a build release
with update_conf("app.conf") as conf:
    conf["launcher"]["version"] = "1.0.2"
    conf["install"]["build"] = "33"

# Update sourcetype references in all saved searches; place marker in description
with update_conf("savedsearches.conf") as conf:
    for report in conf:
        if not conf_attr_boolean(conf[report].get("disabled", "0")):
            # Update enabled search
            search = conf[report].get("search", "")
            conf[report]["search"] = search.replace("cisco:old-understood-tech",
            conf[report]["description"] = f"We did an update.\n Old description: {conf[report].get('description', '')}"