topic Re: How to make *NIX app send data to the os index only? in All Apps and Add-ons

How to make *NIX app send data to the os index only?

danielpellarini — Mon, 28 Sep 2020 14:49:45 GMT

I have just realized that the NIX app is sending data to the os index (which is correct) but **also* to the main index.

Is this normal behavior? I was expecting the app to send data to the os index only, since it is created exactly for this purpose...

Update: My mistake, the app correctly sends the data to the os index only, I got confused because searching for example for sourcetype=top in the search app bring up results from the os index as well, whereas for other indexes I need to manually specify the index to search.

Re: How to make *NIX app send data to the os index only?

lukejadamec — Mon, 23 Sep 2013 16:21:12 GMT

I'm not seeing this behavior. Can you be more specific regarding the event source/sourcetypes that are being indexed in main?

Re: How to make *NIX app send data to the os index only?

sowings — Mon, 23 Sep 2013 16:36:43 GMT

The scripted inputs may send the diagnostic output from their scripts (e.g. "df", "top", etc) to the default database. I would check the inputs.conf definition for the script:: inputs to see if they include an index definition.

Re: How to make *NIX app send data to the os index only?

danielpellarini — Mon, 23 Sep 2013 17:10:21 GMT

@lukejadamec As far as I can tell, all the inputs and sourcetypes I have enabled in the NIX app end up in the main index too. I haven't checked them all, but all of the inputs I have checked behave like this, and it started immediately after configuring the NIX app.

Re: How to make *NIX app send data to the os index only?

danielpellarini — Mon, 23 Sep 2013 17:12:13 GMT

Hi sowings, thank you for your answer. The inputs.conf file contains the line index=os for every input stanza.

Re: How to make *NIX app send data to the os index only?

sowings — Mon, 23 Sep 2013 17:16:55 GMT

So if you were to search for "(index=main OR index=os) sourcetype=df"*, you'd get records for the same host in both indexes? And for the same time?

* Here, use a sourcetype appropriate for what you've enabled in your environment, df was just an example.

Re: How to make *NIX app send data to the os index only?

lukejadamec — Mon, 23 Sep 2013 17:57:34 GMT

Makes sense, that what I see also. Not sure why that is. My other custom indexes need to be specifically called out in the search.

Re: How to make *NIX app send data to the os index only?

danielpellarini — Wed, 25 Sep 2013 16:20:09 GMT

For some reason, in this case the os index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top will search the os index and not the main index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.

A quick search for index=main sourcetype=top showed that the *NIX app data is not sent to the main index.

Re: How to make *NIX app send data to the os index only?

sowings — Wed, 25 Sep 2013 16:41:32 GMT

The behavior you're describing is related to the "indexed searched by default" for your user role. The os index has probably been added to that list for your role, so you don't have to type it in; it's searched automatically. Note that you can still expressly include it in your search terms (and then you'd search only that index).

Re: How to make *NIX app send data to the os index only?

lukejadamec — Wed, 25 Sep 2013 16:49:43 GMT

You're right. Both main and os were in my role. Removing os removed the behavior.

Re: How to make *NIX app send data to the os index only?

danielpellarini — Thu, 26 Sep 2013 15:54:59 GMT

@sowings yep, that was it. Thanks for the comment 🙂