All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change the index for the Splunk App and Add-on for Unix and Linux after installation in a distributed search environment?

ebethjones
New Member
‎09-03-2015 08:06 AM

We are in the process of deploying the Splunk App for Unix and Linux on our Linux servers in a distributed Splunk environment. I was able to successfully change the indexer from the default (os) to the one that we want to use in a standalone instance by modifying the instance name in the untarred source files for Unix app, then installing from those modified files. However, in the distributed environment, we want to be able to install from the source files and then be able to change the index after the install. We already have the index name that we want to use defined on our indexers, but I don't really understand how we can change the indexes after the app is installed. Can anyone give me a hand with this?

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎09-15-2015 03:45 PM

You would install the Splunk Add-on for Unix and Linux (*nix) app on your linux hosts to collect the data. Within that app $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf you will see where the index=os is defined.

ie:

# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved.
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
index = os
disabled = 1

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
index = os
disabled = 1

You will want to create a /local folder and a new inputs.conf with these changes. Don't edit the inputs.conf that is in /default or it will get overwritten and revert back to the default when you upgrade the app.

example:
on your linux host with universal forwarder installed:

$SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = yournewindexname
disabled = 1

*change disabled= 0 to enable it.

keep in mind any dashboards, searches , etc that use index=os will have to be updated to the new index name. This seems like more administrative overhead than it is worth imo./

0 Karma
Reply

vr2312
Builder
‎01-02-2018 05:06 AM

@rphillips [Splunk], If i modify anything under the /local directory of the App and i upgrade the app, i believe the changes will still remain. Am i right ?

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎01-08-2018 10:56 AM

@vr2312 that's correct , if its in /local (ie: $SPLUNK_HOME/etc/system/local/ , or $SPLUNK_HOME/etc/apps//local/ it will not be overwritten when you upgrade.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...