All Apps and Add-ons

How to change the index for the Splunk App and Add-on for Unix and Linux after installation in a distributed search environment?

ebethjones
New Member

We are in the process of deploying the Splunk App for Unix and Linux on our Linux servers in a distributed Splunk environment. I was able to successfully change the indexer from the default (os) to the one that we want to use in a standalone instance by modifying the instance name in the untarred source files for Unix app, then installing from those modified files. However, in the distributed environment, we want to be able to install from the source files and then be able to change the index after the install. We already have the index name that we want to use defined on our indexers, but I don't really understand how we can change the indexes after the app is installed. Can anyone give me a hand with this?

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

You would install the Splunk Add-on for Unix and Linux (*nix) app on your linux hosts to collect the data. Within that app $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf you will see where the index=os is defined.

ie:

# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved.
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
index = os
disabled = 1

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
index = os
disabled = 1

You will want to create a /local folder and a new inputs.conf with these changes. Don't edit the inputs.conf that is in /default or it will get overwritten and revert back to the default when you upgrade the app.

example:
on your linux host with universal forwarder installed:

$SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = yournewindexname
disabled = 1

*change disabled= 0 to enable it.

keep in mind any dashboards, searches , etc that use index=os will have to be updated to the new index name. This seems like more administrative overhead than it is worth imo./

0 Karma

vr2312
Contributor

@rphillips [Splunk], If i modify anything under the /local directory of the App and i upgrade the app, i believe the changes will still remain. Am i right ?

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

@vr2312 that's correct , if its in /local (ie: $SPLUNK_HOME/etc/system/local/ , or $SPLUNK_HOME/etc/apps//local/ it will not be overwritten when you upgrade.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...