Solved: How to make *NIX app send data to the os index onl...

danielpellarini · ‎09-23-2013

I have just realized that the NIX app is sending data to the os index (which is correct) but **also* to the main index.

Is this normal behavior? I was expecting the app to send data to the os index only, since it is created exactly for this purpose...

Update: My mistake, the app correctly sends the data to the os index only, I got confused because searching for example for sourcetype=top in the search app bring up results from the os index as well, whereas for other indexes I need to manually specify the index to search.

danielpellarini · ‎09-25-2013

For some reason, in this case the os index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top will search the os index and not the main index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.

A quick search for index=main sourcetype=top showed that the *NIX app data is not sent to the main index.

View solution in original post

danielpellarini · ‎09-25-2013

For some reason, in this case the os index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top will search the os index and not the main index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.

A quick search for index=main sourcetype=top showed that the *NIX app data is not sent to the main index.

danielpellarini · ‎09-26-2013

@sowings yep, that was it. Thanks for the comment 🙂

lukejadamec · ‎09-25-2013

You're right. Both main and os were in my role. Removing os removed the behavior.

sowings · ‎09-25-2013

The behavior you're describing is related to the "indexed searched by default" for your user role. The os index has probably been added to that list for your role, so you don't have to type it in; it's searched automatically. Note that you can still expressly include it in your search terms (and then you'd search only that index).

lukejadamec · ‎09-23-2013

Makes sense, that what I see also. Not sure why that is. My other custom indexes need to be specifically called out in the search.

danielpellarini · ‎09-23-2013

@lukejadamec As far as I can tell, all the inputs and sourcetypes I have enabled in the NIX app end up in the main index too. I haven't checked them all, but all of the inputs I have checked behave like this, and it started immediately after configuring the NIX app.

sowings · ‎09-23-2013

The scripted inputs may send the diagnostic output from their scripts (e.g. "df", "top", etc) to the default database. I would check the inputs.conf definition for the script:: inputs to see if they include an index definition.

sowings · ‎09-23-2013

So if you were to search for "(index=main OR index=os) sourcetype=df"*, you'd get records for the same host in both indexes? And for the same time?

* Here, use a sourcetype appropriate for what you've enabled in your environment, df was just an example.

danielpellarini · ‎09-23-2013

Hi sowings, thank you for your answer. The inputs.conf file contains the line index=os for every input stanza.

lukejadamec · ‎09-23-2013

I'm not seeing this behavior. Can you be more specific regarding the event source/sourcetypes that are being indexed in main?

How to make *NIX app send data to the os index only?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...