All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we configure the Splunk App for Unix and Linux to search multiple indexes without creating multiple versions of the app?

pgsplunk91
New Member
‎10-16-2015 02:45 AM

What I want is to make the Splunk App for Unix and Linux search two indexes: one is by default the 'os' index and another index of my choice. Is it possible?

0 Karma
Reply

davebo1896
Communicator
‎10-16-2015 07:08 AM

Add this into local/macros.conf
[os_index]
definition = index=os OR index=myindex

0 Karma
Reply

michaelsimko
New Member
‎10-16-2015 06:58 AM

Yes, you can make the SA_nix search two indexes.

To do this, you are going to need to edit local versions of two files, and then restart Splunk. I included example folders, but your structure may vary.

Step 1: Create a local folder under the SA_nix app (example: /opt/splunk/etc/apps/SA_nix/local).

Step 2: From SA_nix, copy (while keeping the same permissions) both savedsearches.conf and macros.conf from the SA_nix/default directory and into SA_nix/local.
(example: cp -rp /opt/splunk/etc/apps/SA_nix/default/macros.conf /opt/splunk/etc/apps/SA_nix/local/).

Step 3: Edit local/macros.conf to include your desired index
Delete everything in the file
Add the following:

[os_index]
definition = (index=”os” index=”YOURNEWINDEX”)

Example:
[os_index]
definition = (index=”os” OR index=”otherlinuxgoo”)

Step 4: Edit local/savedsearches.conf
Delete everything in the file
Add the following:

[os_index]
[UNIX - Timechart Config Changes]
search = (index="os" OR index=”YOURNEWINDEX”) eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist

Example:
[UNIX - Timechart Config Changes]
search = (index="os" OR index=”otherlinuxgoo”) eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist

Step 5: Restart Splunk

Step 6: Validate it worked.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...