Re: Splunk App for Unix and Linux with multiple in...

BrendanMcE · ‎06-11-2014

With Splunk App for Unix and Linux, it's is possible to state what indexes will be used.
However is it possible to configure a splunk server that could connect to a number of environments dev,test,live each with the app on but using the splunkforwarder to send it to the central splunk but each of the environments use its own index.

lmyrefelt · ‎06-17-2014

Yes, however it might require you to edit some views.

You should take a look at macros.conf to specify your indexes.
example;

[all-indexes]
definition = index=dev OR index=test OR index=live

[dev-index]
definition = index=dev

Call the macros using all-indexes in savessearches.conf and edit the views that might contain hard-references to the "default" os index / search, grep for index=os .

lmyrefelt · ‎06-17-2014

Thats sounds like it should work 🙂

BrendanMcE · ‎06-17-2014

So for Splunk App for Unix and Linux
edit the macros.conf on the server
change it to the following
[os_index]
definition = index=dev OR index=test OR index=live
Create a dev,test and live index on the server

The rest of the macros.conf then uses 'os_index'

Then edit the inputs.conf on the forwarder for each environment thus Development will send it to the dev index.
Now for the icing on the cake, set a role called dev with only access to the Dev index. Lets see if this will work.

Splunk App for Unix and Linux with multiple indexes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation