Monad Commands

Overview

The netapi monad commands provide CLI access to Monad Security Pipeline API (Splunk’s next-gen security data platform). All commands support -f json for jq piping.

Prerequisites

# Load Monad credentials from dsec
dsource d000 lab/app

# Required environment variables
export MONAD_API_KEY="eyJhbGciOiJSUzI1NiIsInR..."  # JWT token
export MONAD_ORG_ID="org_abc123..."                 # Organization ID

Commands (30+ total)

Command Categories

Category Commands

Category	Commands
Pipelines	`pipelines`, `pipeline`, `pipeline-create`, `pipeline-delete`, `pipeline-enable`, `pipeline-disable`
Inputs	`inputs`, `input-catalog`, `input-search`, `input-create`
Outputs	`outputs`, `output-catalog`, `output-search`
Transforms	`transforms`, `transform-catalog`
Utilities	`summary`, `export`, `jwt-decode`, `jwt-verify`
Syslog	`syslog-endpoint`
Logs	`logs`, `logs-pipeline`, `logs-api`
Batch	`batch-enable`, `batch-disable`
Advanced	`quick-pipeline`, `graph`, `health`, `clone`, `watch`
Raw API	`api`

Pipelines

pipelines, pipeline, pipeline-create, pipeline-delete, pipeline-enable, pipeline-disable

Inputs

inputs, input-catalog, input-search, input-create

Outputs

outputs, output-catalog, output-search

Transforms

transforms, transform-catalog

Utilities

summary, export, jwt-decode, jwt-verify

Syslog

syslog-endpoint

Logs

logs, logs-pipeline, logs-api

Batch

batch-enable, batch-disable

Advanced

quick-pipeline, graph, health, clone, watch

Raw API

api

Pipeline Commands

Pipelines are the core abstraction: Input → Transforms → Output.

List Pipelines

# Table output
netapi monad pipelines

# JSON output
netapi monad pipelines -f json

Sample Output

Pipelines (5)
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Status   ┃ Name                  ┃ ID           ┃ Description          ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ ENABLED  │ cisco-ise-prod        │ 765ecf0e...  │ ISE syslog to S3     │
│ ENABLED  │ pfsense-firewall      │ a23bc4d5...  │ Firewall logs        │
│ DISABLED │ test-pipeline         │ f89ab012...  │ Testing              │
└──────────┴───────────────────────┴──────────────┴──────────────────────┘

Get Pipeline Details

# Basic details
netapi monad pipeline 765ecf0e-20fe-494c-9406-f38ddd8fda1a

# Full v2 API details (includes nodes, edges)
netapi monad pipeline 765ecf0e... --v2

# JSON for scripting
netapi monad pipeline 765ecf0e... -f json

Create Pipeline

# First, get available inputs and outputs
netapi monad inputs
netapi monad outputs

# Create pipeline
netapi monad pipeline-create "my-pipeline" \
  --input 9b6d1234-... \
  --output 43fc5678-... \
  --desc "Description here"

Enable/Disable Pipeline

# Enable
netapi monad pipeline-enable 765ecf0e-...

# Disable
netapi monad pipeline-disable 765ecf0e-...

Delete Pipeline

# With confirmation
netapi monad pipeline-delete 765ecf0e-...

# Force delete (no confirmation)
netapi monad pipeline-delete 765ecf0e-... --force

Input Commands

Inputs define how data enters the pipeline (syslog, HTTP, Splunk HEC, etc.).

List Organization Inputs

# All inputs
netapi monad inputs

# JSON output
netapi monad inputs -f json

# Filter by type
netapi monad inputs --type syslog
netapi monad inputs -t monad-http

Input Catalog

Browse available input connector types:

# List all available types
netapi monad input-catalog

# Limit results
netapi monad input-catalog -n 50

Search Input Catalog

netapi monad input-search cisco
netapi monad input-search syslog
netapi monad input-search microsoft
netapi monad input-search crowdstrike

Create Input

# Syslog input (default)
netapi monad input-create "My Syslog"

# Specify type
netapi monad input-create "HTTP Endpoint" --type monad-http
netapi monad input-create "Splunk HEC" --type monad-splunk-hec

Table 1. Common Input Types
Type	Description
`monad-syslog`	Syslog receiver (TLS TCP 6514)
`monad-http`	HTTP endpoint
`monad-splunk-hec`	Splunk HEC compatible
`monad-s3`	AWS S3 bucket
`monad-kafka`	Kafka consumer

Output Commands

Outputs define where processed data goes (S3, Sentinel, Splunk, etc.).

List Organization Outputs

netapi monad outputs
netapi monad outputs -f json

Output Catalog

netapi monad output-catalog
netapi monad output-catalog -n 50

Search Output Catalog

netapi monad output-search sentinel
netapi monad output-search s3
netapi monad output-search splunk
netapi monad output-search elasticsearch

Transform Commands

Transforms modify data in-flight (parse, filter, enrich, etc.).

List Transforms

netapi monad transforms
netapi monad transforms -f json

Transform Catalog

netapi monad transform-catalog

Table 2. Common Transform Types
Type	Description
`filter`	Filter events by condition
`parse`	Parse structured data (JSON, CEF, etc.)
`rename`	Rename fields
`drop`	Drop fields
`enrich`	Add contextual data

Utility Commands

Organization Summary

Get a full overview of your Monad organization:

netapi monad summary

Sample Output

Monad Organization: org_abc123...

Pipelines (3):
  ON cisco-ise-prod (765ecf0e...)
  ON pfsense-firewall (a23bc4d5...)
  OFF test-pipeline (f89ab012...)

Inputs (4):
  [monad-syslog] ISE Syslog
  [monad-syslog] Firewall Syslog
  [monad-http] Webhook Endpoint

Outputs (2):
  [monad-s3] AWS S3 Archive
  [monad-sentinel] Microsoft Sentinel

Transforms (1):
  CEF Parser

Export Configuration

Backup your entire Monad configuration:

# Default filename
netapi monad export

# Custom filename
netapi monad export -o backup-2026-03-25.json

JWT Debug Commands

Debug authentication issues:

# Decode JWT token payload
netapi monad jwt-decode

# Verify JWT org matches MONAD_ORG_ID
netapi monad jwt-verify

Sample jwt-decode Output

JWT Payload
┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Field        ┃ Value                                           ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Organization │ org_abc123...                                   │
│ Role         │ admin                                           │
│ Expires      │ 2027-03-25T00:00:00                             │
│ Expires In   │ 365 days, 0:00:00                               │
└──────────────┴─────────────────────────────────────────────────┘

Syslog Configuration

Get Syslog Endpoint

Get the syslog endpoint for a pipeline:

netapi monad syslog-endpoint 765ecf0e-20fe-494c-9406-f38ddd8fda1a

Sample Output

Syslog Endpoint
  Host: 765ecf0e-20fe-494c-9406-f38ddd8fda1a.l4.monad.com
  Port: 6514
  Protocol: TLS TCP (RFC 6587 framing)

Test Command:
  MSG='<34>1 2024-01-15T10:30:00Z myhost test 1234 - - Test'
  echo -n "${#MSG} $MSG" | openssl s_client -connect <host>:6514 -quiet

rsyslog Config:
  *.* action(type="omfwd"
           target="765ecf0e-....l4.monad.com"
           port="6514"
           protocol="tcp"
           StreamDriver="gtls"
           StreamDriverMode="1"
           StreamDriverAuthMode="anon")

Logs Commands

View Logs

# Organization logs
netapi monad logs

# Pipeline-specific logs
netapi monad logs-pipeline 765ecf0e-...
netapi monad logs-pipeline 765ecf0e-... -n 5

# API logs
netapi monad logs-api
netapi monad logs-api -n 20

Watch Logs (Real-time)

Poll logs continuously:

# Watch all org logs
netapi monad watch

# Watch specific pipeline
netapi monad watch 765ecf0e-...

# Custom interval (2 seconds)
netapi monad watch -i 2

# Limited polls (10 times then stop)
netapi monad watch -n 10

Batch Operations

Manage multiple pipelines at once.

Batch Enable

# Enable all disabled pipelines (dry run)
netapi monad batch-enable --all --dry-run

# Enable all disabled pipelines
netapi monad batch-enable --all

# Enable by pattern
netapi monad batch-enable -p "chla"
netapi monad batch-enable -p "prod" --dry-run

Batch Disable

# Disable all (dry run)
netapi monad batch-disable --all --dry-run

# Disable by pattern
netapi monad batch-disable -p "test"
netapi monad batch-disable -p "test" --force

Advanced Commands

Quick Pipeline

Create pipeline + input in one command:

# Create syslog pipeline (default)
netapi monad quick-pipeline "my-syslog"

# Specify output (must exist)
netapi monad quick-pipeline "prod-syslog" --output "AWS S3 Archive"

# HTTP input type
netapi monad quick-pipeline "webhook" -i monad-http

Pipeline Graph

Visualize pipeline flow:

netapi monad graph 765ecf0e-...

Sample Output

Pipeline: cisco-ise-prod
ID: 765ecf0e-20fe-494c-9406-f38ddd8fda1a

┌─ INPUTS
│  ● monad-syslog (9b6d1234...)
│
▼
┌─ TRANSFORMS
│  ● cef-parser
│
▼
┌─ OUTPUTS
│  ● monad-s3 (43fc5678...)
└─

Health Check

Check all components:

netapi monad health

Sample Output

Monad Health Check

✓ Pipelines: 5 total, 4 enabled, 1 disabled
    DISABLED: test-pipeline
✓ Inputs: 4 configured
✓ Outputs: 2 configured
✓ Transforms: 1 configured
✓ Auth: JWT valid, org matches

Clone Pipeline

Duplicate an existing pipeline:

# Clone with auto-generated name
netapi monad clone 765ecf0e-...

# Clone with custom name
netapi monad clone 765ecf0e-... --name "prod-copy"

Raw API Access

Make direct API requests:

# GET request
netapi monad api GET /pipelines
netapi monad api GET /inputs

# v2 API
netapi monad api GET /pipelines/765ecf0e-... -v v2

# POST request
netapi monad api POST /inputs -d '{"name": "test", "type": "monad-syslog"}' -v v2

# DELETE request
netapi monad api DELETE /pipelines/765ecf0e-... -v v2

JSON Output & jq Patterns

All commands support -f json for machine-readable output.

Exploring Structure

# See all keys
netapi monad pipelines -f json | jq '.[0] | keys'

# Keys with types
netapi monad pipelines -f json | jq '.[0] | to_entries | .[] | "\(.key): \(.value | type)"'

Pipeline Operations

# List pipeline names
netapi monad pipelines -f json | jq -r '.[].name'

# Enabled pipelines only
netapi monad pipelines -f json | jq '.[] | select(.enabled) | .name'

# Disabled pipelines
netapi monad pipelines -f json | jq '.[] | select(.enabled == false) | {name, id}'

# Summary object
netapi monad pipelines -f json | jq '.[] | {name, enabled, id: .id[0:8]}'

Input Operations

# Group by type
netapi monad inputs -f json | jq 'group_by(.type) | map({type: .[0].type, count: length})'

# Syslog inputs only
netapi monad inputs -f json | jq '.[] | select(.type | contains("syslog"))'

Catalog Search

# Search input catalog
netapi monad input-catalog -f json | jq '.[] | select(.name | test("cisco"; "i"))'

# Get type_id for scripting
netapi monad input-search cisco | jq -r '.[].type_id'

Environment Variables

Variable Description

Variable	Description
`MONAD_API_KEY`	JWT API key (required)
`MONAD_ORG_ID`	Organization ID (required)

MONAD_API_KEY

JWT API key (required)

MONAD_ORG_ID

Organization ID (required)

Use Cases

Daily Operations

# Morning health check
netapi monad health

# Check for disabled pipelines
netapi monad pipelines -f json | jq '.[] | select(.enabled == false) | .name'

# Watch for errors
netapi monad watch -i 10

Deployment Workflow

# 1. Create input
netapi monad input-create "new-device-syslog"

# 2. List outputs to find destination
netapi monad outputs

# 3. Create pipeline
netapi monad pipeline-create "new-device" \
  --input <input-id> \
  --output <output-id>

# 4. Enable
netapi monad pipeline-enable <pipeline-id>

# 5. Get syslog endpoint
netapi monad syslog-endpoint <pipeline-id>

Backup & Restore

# Export full config
netapi monad export -o monad-backup-$(date +%Y%m%d).json

# View backup contents
cat monad-backup-*.json | jq '.pipelines | length'

Troubleshooting

# 1. Verify credentials
netapi monad jwt-verify

# 2. Check pipeline status
netapi monad pipeline <id> --v2 -f json

# 3. View recent logs
netapi monad logs-pipeline <id> -n 20

# 4. Visualize flow
netapi monad graph <id>

Monad Commands

Overview

Prerequisites

Commands (30+ total)

Command Categories

Pipeline Commands

List Pipelines

Get Pipeline Details

Create Pipeline

Enable/Disable Pipeline

Delete Pipeline

Input Commands

List Organization Inputs

Input Catalog

Search Input Catalog

Create Input

Output Commands

List Organization Outputs

Output Catalog

Search Output Catalog

Transform Commands

List Transforms

Transform Catalog

Utility Commands

Organization Summary

Export Configuration

JWT Debug Commands

Syslog Configuration

Get Syslog Endpoint

Logs Commands

View Logs

Watch Logs (Real-time)

Batch Operations

Batch Enable

Batch Disable

Advanced Commands

Quick Pipeline

Pipeline Graph

Health Check

Clone Pipeline

Raw API Access

JSON Output & jq Patterns

Exploring Structure

Pipeline Operations

Input Operations

Catalog Search

Environment Variables

Use Cases

Daily Operations

Deployment Workflow

Backup & Restore

Troubleshooting

See Also