All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change the index for the Splunk App and Add-on for Unix and Linux after installation in a distributed search environment?

ebethjones
New Member
‎09-03-2015 08:06 AM

We are in the process of deploying the Splunk App for Unix and Linux on our Linux servers in a distributed Splunk environment. I was able to successfully change the indexer from the default (os) to the one that we want to use in a standalone instance by modifying the instance name in the untarred source files for Unix app, then installing from those modified files. However, in the distributed environment, we want to be able to install from the source files and then be able to change the index after the install. We already have the index name that we want to use defined on our indexers, but I don't really understand how we can change the indexes after the app is installed. Can anyone give me a hand with this?

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎09-15-2015 03:45 PM

You would install the Splunk Add-on for Unix and Linux (*nix) app on your linux hosts to collect the data. Within that app $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf you will see where the index=os is defined.

ie:

# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved.
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
index = os
disabled = 1

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
index = os
disabled = 1

You will want to create a /local folder and a new inputs.conf with these changes. Don't edit the inputs.conf that is in /default or it will get overwritten and revert back to the default when you upgrade the app.

example:
on your linux host with universal forwarder installed:

$SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = yournewindexname
disabled = 1

*change disabled= 0 to enable it.

keep in mind any dashboards, searches , etc that use index=os will have to be updated to the new index name. This seems like more administrative overhead than it is worth imo./

0 Karma
Reply

vr2312
Contributor
‎01-02-2018 05:06 AM

@rphillips [Splunk], If i modify anything under the /local directory of the App and i upgrade the app, i believe the changes will still remain. Am i right ?

0 Karma
Reply

rphillips_splk
Splunk Employee
Splunk Employee
‎01-08-2018 10:56 AM

@vr2312 that's correct , if its in /local (ie: $SPLUNK_HOME/etc/system/local/ , or $SPLUNK_HOME/etc/apps//local/ it will not be overwritten when you upgrade.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...