We are in the process of deploying the Splunk App for Unix and Linux on our Linux servers in a distributed Splunk environment. I was able to successfully change the indexer from the default (os) to the one that we want to use in a standalone instance by modifying the instance name in the untarred source files for Unix app, then installing from those modified files. However, in the distributed environment, we want to be able to install from the source files and then be able to change the index after the install. We already have the index name that we want to use defined on our indexers, but I don't really understand how we can change the indexes after the app is installed. Can anyone give me a hand with this?
You would install the Splunk Add-on for Unix and Linux (*nix) app on your linux hosts to collect the data. Within that app $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf you will see where the index=os is defined.
# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved. [script://./bin/vmstat.sh] interval = 60 sourcetype = vmstat source = vmstat index = os disabled = 1 [script://./bin/iostat.sh] interval = 60 sourcetype = iostat source = iostat index = os disabled = 1 [script://./bin/ps.sh] interval = 30 sourcetype = ps source = ps index = os disabled = 1
You will want to create a /local folder and a new inputs.conf with these changes. Don't edit the inputs.conf that is in /default or it will get overwritten and revert back to the default when you upgrade the app.
on your linux host with universal forwarder installed:
interval = 60
sourcetype = iostat
source = iostat
index = yournewindexname
disabled = 1
*change disabled= 0 to enable it.
keep in mind any dashboards, searches , etc that use index=os will have to be updated to the new index name. This seems like more administrative overhead than it is worth imo./