All Apps and Add-ons

How to configure *NIX App lightweight forwarder to send data to remote index

New Member

How do I configure a forwarder to forward *NIX App data to a specific "OS" index on a remote Splunkd server?

0 Karma

Splunk Employee
Splunk Employee

By default, the Splunk *NIX app will send all data to the "os" index. If you enable forwarding on a system in addition to the *NIX app, data will be sent to the "os" index on the receiver (Splunk indexer). There are a few things you can do with respect to forwarding that particular data:

  1. Forwarding can be setup to go to specific hosts
  2. The *NIX app can be setup to index to a different index name

From your question, it sounds like you simply want to change #2. To alter the index where the Forwarder will send data, the inputs.conf file for the *NIX app on the Forwarder will need to be edited. Specifically, you should replace all of the "index=os" parameters to become "index=new_os_index" (or whatever index name you want). Additionally, you will need to make sure you have created this new index (new_os_index) on your Splunk indexer. So to review:

  1. Create your new index on the Splunk indexer (e.g. - index=new_os_index)
  2. Edit the *NIX app's inputs.conf file on the Forwarder so that the new index name is used. This file should be located in $SPLUNK_HOME/etc/apps/unix/default/inputs.conf. The preferred method to edit this would be to copy the current inputs.conf file into $SPLUNK_HOME/etc/apps/unix/local and edit the file there. Editing the default file is a bad idea as it may get overwritten in an upgrade. Also, copying configuration files and placing them in the /local location is typically not recommended.
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...