All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we configure the Splunk App for Unix and Linux to search multiple indexes without creating multiple versions of the app?

pgsplunk91
New Member
‎10-16-2015 02:45 AM

What I want is to make the Splunk App for Unix and Linux search two indexes: one is by default the 'os' index and another index of my choice. Is it possible?

0 Karma
Reply

davebo1896
Communicator
‎10-16-2015 07:08 AM

Add this into local/macros.conf
[os_index]
definition = index=os OR index=myindex

0 Karma
Reply

michaelsimko
New Member
‎10-16-2015 06:58 AM

Yes, you can make the SA_nix search two indexes.

To do this, you are going to need to edit local versions of two files, and then restart Splunk. I included example folders, but your structure may vary.

Step 1: Create a local folder under the SA_nix app (example: /opt/splunk/etc/apps/SA_nix/local).

Step 2: From SA_nix, copy (while keeping the same permissions) both savedsearches.conf and macros.conf from the SA_nix/default directory and into SA_nix/local.
(example: cp -rp /opt/splunk/etc/apps/SA_nix/default/macros.conf /opt/splunk/etc/apps/SA_nix/local/).

Step 3: Edit local/macros.conf to include your desired index
Delete everything in the file
Add the following:

[os_index]
definition = (index=”os” index=”YOURNEWINDEX”)

Example:
[os_index]
definition = (index=”os” OR index=”otherlinuxgoo”)

Step 4: Edit local/savedsearches.conf
Delete everything in the file
Add the following:

[os_index]
[UNIX - Timechart Config Changes]
search = (index="os" OR index=”YOURNEWINDEX”) eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist

Example:
[UNIX - Timechart Config Changes]
search = (index="os" OR index=”otherlinuxgoo”) eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist

Step 5: Restart Splunk

Step 6: Validate it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...