By default, the Splunk *NIX app will send all data to the "os" index. If you enable forwarding on a system in addition to the *NIX app, data will be sent to the "os" index on the receiver (Splunk indexer). There are a few things you can do with respect to forwarding that particular data:
- Forwarding can be setup to go to specific hosts
- The *NIX app can be setup to index to a different index name
From your question, it sounds like you simply want to change #2. To alter the index where the Forwarder will send data, the inputs.conf file for the *NIX app on the Forwarder will need to be edited. Specifically, you should replace all of the "index=os" parameters to become "index=new_os_index" (or whatever index name you want). Additionally, you will need to make sure you have created this new index (new_os_index) on your Splunk indexer. So to review:
- Create your new index on the Splunk indexer (e.g. - index=new_os_index)
- Edit the *NIX app's inputs.conf file on the Forwarder so that the new index name is used. This file should be located in $SPLUNK_HOME/etc/apps/unix/default/inputs.conf. The preferred method to edit this would be to copy the current inputs.conf file into $SPLUNK_HOME/etc/apps/unix/local and edit the file there. Editing the default file is a bad idea as it may get overwritten in an upgrade. Also, copying configuration files and placing them in the /local location is typically not recommended.
