All Apps and Add-ons

How to change the index for the Splunk App and Add-on for Unix and Linux after installation in a distributed search environment?

ebethjones
New Member

We are in the process of deploying the Splunk App for Unix and Linux on our Linux servers in a distributed Splunk environment. I was able to successfully change the indexer from the default (os) to the one that we want to use in a standalone instance by modifying the instance name in the untarred source files for Unix app, then installing from those modified files. However, in the distributed environment, we want to be able to install from the source files and then be able to change the index after the install. We already have the index name that we want to use defined on our indexers, but I don't really understand how we can change the indexes after the app is installed. Can anyone give me a hand with this?

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

You would install the Splunk Add-on for Unix and Linux (*nix) app on your linux hosts to collect the data. Within that app $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf you will see where the index=os is defined.

ie:

# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved.
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat
source = vmstat
index = os
disabled = 1

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

[script://./bin/ps.sh]
interval = 30
sourcetype = ps
source = ps
index = os
disabled = 1

You will want to create a /local folder and a new inputs.conf with these changes. Don't edit the inputs.conf that is in /default or it will get overwritten and revert back to the default when you upgrade the app.

example:
on your linux host with universal forwarder installed:

$SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = yournewindexname
disabled = 1

*change disabled= 0 to enable it.

keep in mind any dashboards, searches , etc that use index=os will have to be updated to the new index name. This seems like more administrative overhead than it is worth imo./

0 Karma

vr2312
Contributor

@rphillips [Splunk], If i modify anything under the /local directory of the App and i upgrade the app, i believe the changes will still remain. Am i right ?

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

@vr2312 that's correct , if its in /local (ie: $SPLUNK_HOME/etc/system/local/ , or $SPLUNK_HOME/etc/apps//local/ it will not be overwritten when you upgrade.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...