https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195801#M20253 <P>So for Splunk App for Unix and Linux<BR /> edit the macros.conf on the server<BR /> change it to the following<BR /> [os_index]<BR /> definition = index=dev OR index=test OR index=live<BR /> Create a dev,test and live index on the server</P> <P>The rest of the macros.conf then uses 'os_index'</P> <P>Then edit the inputs.conf on the forwarder for each environment thus Development will send it to the dev index.<BR /> Now for the icing on the cake, set a role called dev with only access to the Dev index. Lets see if this will work.</P> Tue, 17 Jun 2014 15:47:37 GMT BrendanMcE 2014-06-17T15:47:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195799#M20251 <P>With Splunk App for Unix and Linux, it's is possible to state what indexes will be used.<BR /> However is it possible to configure a splunk server that could connect to a number of environments dev,test,live each with the app on but using the splunkforwarder to send it to the central splunk but each of the environments use its own index.</P> Wed, 11 Jun 2014 14:01:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195799#M20251 BrendanMcE 2014-06-11T14:01:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195800#M20252 <P>Yes, however it might require you to edit some views.</P> <P>You should take a look at macros.conf to specify your indexes.<BR /> example; </P> <PRE><CODE>[all-indexes] definition = index=dev OR index=test OR index=live [dev-index] definition = index=dev </CODE></PRE> <P>Call the macros using <CODE>all-indexes</CODE> in savessearches.conf and edit the views that might contain hard-references to the "default" os index / search, grep for index=os .</P> Tue, 17 Jun 2014 11:45:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195800#M20252 lmyrefelt 2014-06-17T11:45:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195801#M20253 <P>So for Splunk App for Unix and Linux<BR /> edit the macros.conf on the server<BR /> change it to the following<BR /> [os_index]<BR /> definition = index=dev OR index=test OR index=live<BR /> Create a dev,test and live index on the server</P> <P>The rest of the macros.conf then uses 'os_index'</P> <P>Then edit the inputs.conf on the forwarder for each environment thus Development will send it to the dev index.<BR /> Now for the icing on the cake, set a role called dev with only access to the Dev index. Lets see if this will work.</P> Tue, 17 Jun 2014 15:47:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195801#M20253 BrendanMcE 2014-06-17T15:47:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195802#M20254 <P>Thats sounds like it should work <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 17 Jun 2014 16:36:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-with-multiple-indexes/m-p/195802#M20254 lmyrefelt 2014-06-17T16:36:31Z