Use a different index name in an app

mmason · ‎03-27-2013

We have installed an app that requires an index to have a specific naming convention and of course when we created the index, before we knew about the app, we did not follow that convention. Is there a way I can make just that app think the index has a different name?

I can do something like that on the search line with:

index=system | replace system with test_system in index

I think what I want is to append something like that to the beginning of every search in the app. So I was trying to do that by setting the srchFilter in the authorize.conf:

srchFilter = index=system | replace system with test_system in index | search

I've tried many different version of the above line but nothing has seemed to work, in fact most combinations result in an error when searching.

I would appreciate any suggestions. Thanks.

mmason · ‎03-28-2013

Vince,
I came up with the search. I was hoping there was a way to append that search before any searches that the app ran. Looking through the app to manually remove the index names is an options however the app is pretty complicated, there are about 100 instances of the index names in the app. But more then that the app uses python scripts with code depending on parts of the index names, so that means I would have to change the logic of the code itself. Changing the code could be doable but I was hoping someone could help me think of a smarter and easier way to get around this problem.

kristian_kolb · ‎03-28-2013

You can't really rename an index. Or move data that has been already put into one index.

I think you'll have to edit the config files of the application to use a different index. This can be in a lot of places, unfortunately (like savedsearches.conf, macros.conf etc).

You should probably search through the $SPLUNK_HOME/etc/apps/your_new_app to find all occurrances of index=the_apps_custom_index. That would give you an idea of the work ahead.

Also, you should be aware that whatever you edit in default folders will most likely be overwritten if you update the app. Therefore, you should make a copy of the config file in the corresponding local folder.

On the other hand, when a new version of the app comes out, there will probably be new functionality (searches etc) that need to be modified in order to find your data in the 'right' index.

Hope this helps,

Kristian

kristian_kolb · ‎03-29-2013

If it's just for searches, not getting data into the index.. maybe there is a way by using the Search Restrictions in a creative way.

Under Manager -> Access Controls -> Roles -> your_role you can find (near the top of the page) a box where you can enter search restrictions for that role. Whatever you enter there gets prepended to the searches executed by users with that role. Usually that is used to limit the ability to see information, but perhaps you could enter;

index=the_index_where_the_data_really_is OR

...could be worth a try.

/K

mmason · ‎03-28-2013

Hi Kristian,
Unfortunately the app has python scripts that use parts of the index name in the logic of the code. So I would have to rewrite the way the code works, and as you said if we get a new version I would have to do that all over again. I know we can't really rename an index, but I wanted to just trick this app in to seeing the index names differently. That search line I included will do that but I am not sure how to include that into the app and make sure that search is prepended to all searches in the app. Any advice on that or any other suggestions would be appreciated. Thanks.

vincesesto · ‎03-27-2013

Hi mmason, is the search that you have provided in the question, is that what the app is calling or is it your search, as it may be easiest to simply edit the saved search or xml the app is using.
Let me know if I have missed the point of if you need me to clarify my question.
Regards Vince

Use a different index name in an app

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk