All Apps and Add-ons

Switch indexes an App is using?

summitsplunk
Communicator

We created a bunch of indexes for our apps.

Some of the apps I've installed I can specify the index it uses in the GUI but some I cannot.

My question is if it's not in the GUI for the app where\how do I tell the app to use the index we created for it?

For example with the onelogin for splunk app or the TA-PRTG app.

I tried creating an inputs conf file and putting it in the local folder of the app with just one line like this:

index = myindex

But that didn't seem to make a difference.

Any help or clarification of how this works would be much appreciated.

Thanks!

0 Karma

nickhills
Ultra Champion

Its recommended "app-best-practice" not to create indexes anymore when apps are installed, although not all the apps have caught up with the new guidelines yet.

This means its down to the user to decide which indexes to create and which inputs go where.

If you are running a distributed environment, creating indexes (either by your actions, or that of an app) on indexers will not be shared with your search heads or heavy forwarders. If you need to use the UI to amend your inputs and want to select the index of you choice the easiest thing to do is create an index of the same name on your SH and HFs (you only need to set it to something very small - 10mb or something)

If my comment helps, please give it a thumbs up!
0 Karma

summitsplunk
Communicator

Hello,
I have a single node running all the components of Splunk.

I've read your answer a few times and I'm having a hard time understanding as I'm very new to Splunk.

Maybe I'm using the terms wrong but the way I see "indexes" are like virtual disks and I just want to specify which place to put injest the data for a particular app.

The app is currently using "_internal" but I want it to use another index I created because its on a bigger physical disk.

How do I modify the app to use another index?

0 Karma

nickhills
Ultra Champion

_internal is a special case, because it’s only for logs generated by the Splunk process (I.e Splunk’s own logs) You can not (afaik) redirect logs destined for internal to another index. You would have to move the whole index to another disk if you are running out of space. Is this what you would like to do? (What os are you using?)

If my comment helps, please give it a thumbs up!
0 Karma

summitsplunk
Communicator

I'm running Ubuntu 16.04.

_internal isn't running out of space quite yet but that's good to know that I'd have to do that if is in the future.

About "redirecting" data to another index in general, if I wasn't talking about _internal but another none special case index.

Is there a way to redirect the data to an index of choice by like an "inputs conf" file for the app?

0 Karma

nickhills
Ultra Champion

Yes, exactly that. Every input will normally specify a target index (if it doesn’t, it will use the default index, which is usually main) You can override an input by modifying the /local/inputs.conf file (creating it if necessary)

In the local inputs.conf for the given stanza you modify
[monitor::///somepath/somefile.log]
Index = yourIndex

Apologies for poor formatting/typos. I am on a phone 🙂

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...