All Apps and Add-ons

How to configure *NIX App lightweight forwarder to send data to remote index

New Member

How do I configure a forwarder to forward *NIX App data to a specific "OS" index on a remote Splunkd server?

0 Karma

Splunk Employee
Splunk Employee

By default, the Splunk *NIX app will send all data to the "os" index. If you enable forwarding on a system in addition to the *NIX app, data will be sent to the "os" index on the receiver (Splunk indexer). There are a few things you can do with respect to forwarding that particular data:

  1. Forwarding can be setup to go to specific hosts
  2. The *NIX app can be setup to index to a different index name

From your question, it sounds like you simply want to change #2. To alter the index where the Forwarder will send data, the inputs.conf file for the *NIX app on the Forwarder will need to be edited. Specifically, you should replace all of the "index=os" parameters to become "index=new_os_index" (or whatever index name you want). Additionally, you will need to make sure you have created this new index (new_os_index) on your Splunk indexer. So to review:

  1. Create your new index on the Splunk indexer (e.g. - index=new_os_index)
  2. Edit the *NIX app's inputs.conf file on the Forwarder so that the new index name is used. This file should be located in $SPLUNK_HOME/etc/apps/unix/default/inputs.conf. The preferred method to edit this would be to copy the current inputs.conf file into $SPLUNK_HOME/etc/apps/unix/local and edit the file there. Editing the default file is a bad idea as it may get overwritten in an upgrade. Also, copying configuration files and placing them in the /local location is typically not recommended.
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...