Re: How do I modify configurations for an splunk a...

fl66

Hi,

I installed a splunk app and events are sent to default index. But I need to change the index to be a custom index. I tried to create local/inputs.conf file and repackaged the app. The app was rejected when I uploaded it to splunk cloud even if I changed the appID.

I also looked at Splunk ACS API, but could not figure out if that can be used to customize configuration files and what are the endpoint URL to use.

thanks in advance.

gcusello

Hi @fl66 ,

you could add a new custom index by interface and them modify your input to send logs to that index, where are these inputs, still on Splunk Cloud or on premise?

If on Splunk Cloud. modify them by interface or uploading a new version of the app, if on premise, modify them in the on premise installed version.

Ciao.

Giuseppe.

fl66

The app was installed from splunkbase. I tried to add the inputs.conf file to change to a custom index. The new package was rejected when I uploaded to splunk cloud, even if I changed the app ID.

Thank you!

gcusello

Hi @fl66 ,

if you installed from Splunkbase, the only way it to modify configurations by GUI, in other words:

go in [Settings > Indexes] and add a new custom input,
go in [Settings > inputs, search for the inputs of your app and manually (by gui) modify the index.

Ciao.

Giuseppe

How do I modify configurations for an splunk app installed on splunk cloud?

administration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?