All Apps and Add-ons

Splunk App for Unix: Configuring

mikelanghorst
Motivator

One of the items on the doc page is confusing - link text

Important:

You can not configure the Splunk App for Unix and Linux from the command line. You must use the Settings pages, described in detail in this topic.
Conversely, there is no way to configure the Splunk Add-on for Unix and Linux in any other way than the command line.

Though the doc does point out this:
Use the Settings: Categories page to add host categories and groups. When you make these changes, the Splunk App for Unix and Linux writes them to $SPLUNK_HOME/etc/apps/SA-nix/lookups/dropdowns.csv.

Are we truly forced to use the UI only to configure the category/grouping? This would be a major pain.

1 Solution

Lucas_K
Motivator

You can manually edit the file from the command line : $SPLUNK_HOME/etc/apps/SA-nix/lookups/dropdowns.csv

The format of this file is

host,unix_category,unix_group
some_example_host,some__example_category,some_example_group

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

You can configure the Splunk Add-on for Unix and Linux from the command line. In fact, that's the only way you can configure the add-on.

You can configure the Splunk App for Unix and Linux only from Splunk Web.

We've updated the docs to clarify.

Lucas_K
Motivator

You can manually edit the file from the command line : $SPLUNK_HOME/etc/apps/SA-nix/lookups/dropdowns.csv

The format of this file is

host,unix_category,unix_group
some_example_host,some__example_category,some_example_group

araitz
Splunk Employee
Splunk Employee

Lucas K is correct, you can edit the file from the CLI, using your favorite CSV editor, or have a saved search update the values. A few important things to consider:

  • make sure you retain the column order: host, unix_category, unix_group
  • make sure you delete the default entry of "*,all_hosts,default" before you add any other entries

jspears
Communicator

My guess would be that anything that creates a sane .csv is fine, including vi. I'm not in a position to test that, so not posting this as an actual answer. 🙂

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...