Re: Why is the Splunk App for Unix and Linux displ...

pvuong · ‎07-19-2016

Hello,

I installed SA-nix, splunk_app_for_nix, Splunk_TA_nix for indexing all my Linux host system data.
I have several questions about these three apps/add-ons

Where I do I put my local inputs.conf and local indexes.conf ?

SA-nix/local/[inputs.conf  | indexes.conf ] 
splunk_app_for_nix/local/[inputs.conf | indexes.conf ]  
splunk_app_for_nix/install/SA-nix/local/[inputs.conf | indexes.conf ]  
splunk_app_for_nix/install/Splunk_TA_nix/local/[inputs.conf | indexes.conf ]  
Splunk_TA_nix/local/[inputs.conf | indexes.conf ]

Which changes can it make according to these different locations of my inputs.conf or indexes.conf?

Web interface of Splunk App For Unix
In the settings parameters, I have configured my Linux Index(es) to contain Linux host data.

Example:
index=os

index=sys_linux (which has all my linux syslog indexed with sourcetype=syslog)
In this logic, Splunk App For Unix can display only all events in these indexes ...

But in Metrics/Hosts tab, I can see Cisco events from other hosts which has been indexing in another index (index=net_cisco) and another sourcetype (sourcetype=cisco:ios)
I don't understand why my Splunk App For Unix can display the information/events which from another index that doesn't concern Linux data.

Any help is appreciated, thank you

Marie

pvuong · ‎07-27-2016

The recent version : splunk_app_for_nix 5.1.0

In this Unix app searches powering, it search in all index that i created for differents apps and TA
I think it's normal that the search powering can search for all index which are allowed in user control roles.

In WebUI Unix App, i thought that each App can only see the index belong to its own contexte ?

Thnx

inventsekar · ‎07-27-2016

i think these files come with the installation package.
splunk_app_for_nix/install/SA-nix/local/[inputs.conf | indexes.conf ]

splunk_app_for_nix/install/Splunk_TA_nix/local/[inputs.conf | indexes.conf ]
whereas, the remaining files (/local/), first we will copy them from install package and then we will need to edit them as per our environment.

from Splunk® App for Unix and Linux Install and Use the Splunk App for Unix and Linux 5.2.0 document -

Splunk also uses configuration files to configure itself. When Splunk initializes, it
finds all of the configuration files located in the Splunk directory and merges them
to build a final "master" configuration, which it then runs on. When you install a
Splunk app on a Splunk instance, Splunk must determine which configuration
files to use if it encounters a conflict. This is where configuration file precedence
comes in.
It's important to understand how precedence works. In many cases, if there is a
configuration file conflict, Splunk gives priority to an app's configuration file. In
some situations, installing an app might inadvertently override a setting in a
configuration file in the core platform, which might lead to undesired results in
data collection. Be sure to read the previously mentioned topic thoroughly for
details.

jmheaton · ‎07-26-2016

What version of the Unix app are you using?
Check the searches powering the tab and see what index its referring to.

pvuong · ‎07-25-2016

Up again ....

No body hast'n met the problem i mentioned ? Only my Splunk Instance have this symptom ?

pvuong · ‎07-21-2016

Hello everyone,

Any help, please ??

Why is the Splunk App for Unix and Linux displaying events for data from another index?

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud