So if I understand correctly you've changed the index used from solaris to ia. The searches used in dashboards do not specify the index (this is deliberate, so you can use any index) but you do need to make sure all indexes you have used are accessible by default, and are searchable by default for the role you are using to access the events. So check permissions on all the objects.
Also check to see if maybe you missed some and there is an index called solaris with some contents. Your missing events might be there. Any errors resulting from script execution should show up in splunkd.log, search for ERROR ExecProcessor. I've kept it pretty simple, there doesn't seem to me a whole lot that could go wrong with it assuming SPLUNK_USER can execute the underlying commands in the first place. And this can also be a problem. For reasons best known to themselves, the people who wrote many of the OS commands I've used, only let root get access even to display the information, so unless splunk is running as root or you do a whole lot of messing around with ACLs it won't work properly. LDOMS is one example. Only root can run ldm at all. I am well aware that this is not an ideal situation, but I would suggest that if anyone can mess around with the scripts to do bad things, you already have a much larger problem than anything the TA might be able to cause.
If you are making enhancements to any of it, please let me know and I'll include them if you want. I wrote this App and TA because A. I think the official *nix app has lost its way and B. In trying to be cross-platform the official stuff doesn't use any of the cool things that are solaris-only, and which tell you about virtual networks and zones/ldoms, zpool, zfs etc. etc. For that matter, it's all out of date wrt modern linux distros as well, and for all the annoying but shiny new UI in the *nix app, it is still using methods 10 years old to collect it.
... View more