All Apps and Add-ons

Is it the SA_nix app, or Splunk App for Nix that contains the indexes.conf for an indexer?

msarro
Builder

Hey everyone. We have a ton of indexers we need to deploy this app to, and I need to perform all configuration steps in advance so they can be deployed with no post-install configuration using the deployment server. Our search heads are configured to forward all data to indexers.

The documentation isn't so great on doing this - it seems to assume you're doing the install manually on each search head and indexer. That will not work in our environment where we have a short maintenance window and lots of indexers to perform the installation on.

Only the SA_nix app seems to have an indexes.conf file, so I am assuming that that is the one that must be placed on an indexer? It only contains a summary index, it does not contain the OS index that seems to be the default.

Where do I put the indexes.conf entry for the os index so that when we try to log in to the app it doesn't prompt for configuration?

0 Karma
1 Solution

bandit
Motivator

In the scenario where you only needed to setup the indexes, you could just copy the contents of the *nix indexes.conf to your own indexes.conf file on your indexer. This assumes that you don't want to collect metrics from your indexers themselves like cpu, memory, etc. and just need to create the indexes so you can forward *nix metrics from other forwarders and/or search heads.

[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

[firedalerts]
coldPath = $SPLUNK_DB/firedalerts/colddb
homePath = $SPLUNK_DB/firedalerts/db
thawedPath = $SPLUNK_DB/firedalerts/thaweddb

[unix_summary]
homePath   = $SPLUNK_DB/unix_summary/db
coldPath   = $SPLUNK_DB/unix_summary/colddb
thawedPath = $SPLUNK_DB/unix_summary/thaweddb
maxTotalDataSizeMB = 10000

View solution in original post

bandit
Motivator

In the scenario where you only needed to setup the indexes, you could just copy the contents of the *nix indexes.conf to your own indexes.conf file on your indexer. This assumes that you don't want to collect metrics from your indexers themselves like cpu, memory, etc. and just need to create the indexes so you can forward *nix metrics from other forwarders and/or search heads.

[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

[firedalerts]
coldPath = $SPLUNK_DB/firedalerts/colddb
homePath = $SPLUNK_DB/firedalerts/db
thawedPath = $SPLUNK_DB/firedalerts/thaweddb

[unix_summary]
homePath   = $SPLUNK_DB/unix_summary/db
coldPath   = $SPLUNK_DB/unix_summary/colddb
thawedPath = $SPLUNK_DB/unix_summary/thaweddb
maxTotalDataSizeMB = 10000

msarro
Builder

Excellent - this is what I needed. I created a copy of the SA_nix app's indexes.conf file in the local/ directory, complete with custom volume information for indexers. Everything seems to be working now when being pushed out with the deployment server. Appreciate the help!

0 Karma

bandit
Motivator

splunk_app_for_nix-5.0.0-182057.zip, the latest version, has the full app and the TA in a sub directory the zip file.

splunk_app_for_nix-5.0.0-182057.zip\etc\apps\Splunk_TA_nix

Looks like you can also directly download just the TA in its own tgz file (Splunk_TA_nix-5.0.0-181970.tgz)

It appears that the file with the full app and the TA (splunk_app_for_nix-5.0.0-182057.zip) has a slightly newer version of the TA though (build = 182057) where is the TA only file (Splunk_TA_nix-5.0.0-181970.tgz) has a version (build = 181970) according the the app.conf file contained within.

mikelanghorst
Motivator

The Splunk For Unix app has 3 components required: The main app, the TA, and the SA. The indexes you're looking for are in the Splunk_TA_unix app.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...