You can also create multiple versions of the Unix App if you need to, and configure each one for specific indexes. What I've done is copy the contents of the /opt/splunk/etc/apps/unix folder to /opt/splunk/etc/apps/unix2 folder. You can name the destination folder whatever way you want to track what it, doesn't matter to Splunk.
To change the name of the App in the GUI, you edit the /opt/splunk/etc/apps/unix2/default/app.conf file as follows:
[launcher]
version = 4.6
description = This is a useful app for helping monitor, manage, and troubleshoot *nix platforms. This app comes with set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration, and user info. It also provides convenient dashboards, form searches, and alerts to make getting started with Splunk a breeze.
author = Splunk, Inc.
[ui]
is_visible = true
label = Unix App for Group A
[install]
state = enabled
is_configured = false
build = 133346
[package]
id = unix
The line label = is where you change the display name in the Apps drop down menu.
Once you do that, you copy the inputs.conf from /opt/splunk/etc/apps/unix2/default to /opt/splunk/etc/apps/unix2/local and modify the index for each stanza to the appropriate index you want to use. In this example, we used UnixGroupA as the index. For example:
### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history
index = UnixGroupA
Once that's done, you have to modify the saved searches for the App so they default to the correct index for this instance of the App. You will want to copy the /opt/splunk/etc/apps/unixtest/default/savedsearches.conf to the /opt/splunk/etc/apps/unixtest/local directory and modify that version.
The easiest way to accomplish this is to use vi (or whatever editor you prefer) and replace all of the index=os strings to index=NewIndexName, which is UnixGroupA in this case.
For vi, you would use the following:
:%s/index=os/index=UnixGroupA/g
Save the contents of that file and restart Splunk. You can then access the new instance of the app from the Apps menu, and the saved searches will use the correct index for this instance of the app.
There are some other references in various files, such as /opt/splunk/etc/apps/unix2/appserver/static that contains HTML files with references to index=os. Searching through and replacing those to the appropriate index would be a good idea as well.
Also, by default, the search bar and some other items are prepopulated with index=os, that can be changed by modifying the files in /opt/splunk/etc/apps/unix2/default/data/ui/views
Use the following commands to modify all the files by replacing index=os with index=UnixGroupA, or index="OS" with index="UnixGroupA"
find . -name "*.xml" -print | xargs sed -i 's/index="os"/index="UnixGroupA"/g'
You can also do this for any other files throughout the app's directories to replace the index=OS or index="OS" strings.
Another option is to search for the known default index name through the directory structure of the app. In this case you would issue the commands:
find /opt/splunk/etc/apps/unix2 -type f | xargs perl -pi -e 's/index=os/index=UnixGroupA/g'
find /opt/splunk/etc/apps/unix2 -type f | xargs perl -pi -e 's/index="os"/index="UnixGroupA"/g'
This will replace any instance of index=os in the app's directory structure with the correct index name.
The static links in the web code will also need to be changed. In /opt/splunk/etc/apps/unix2/appserver/static/welcome.html there are links similar to this:
<a href="/app/unix/flashtimeline?s=netstat">netstat</a>
This will need to be changed to reflect the correct path to the app we've modified. You can replace using vi for the welcome.html by doing the following in vi:
:%s/\/app\/unix/\/app\/unix2/g
This will replace all instances of /app/unix with /app/unix2 which will make all of the links under the About Splunk page for the Unix App work correctly.
That's it!
... View more
