All Apps and Add-ons

How to make *NIX app send data to the os index only?

danielpellarini
Path Finder

I have just realized that the NIX app is sending data to the os index (which is correct) but **also* to the main index.

Is this normal behavior? I was expecting the app to send data to the os index only, since it is created exactly for this purpose...

Update: My mistake, the app correctly sends the data to the os index only, I got confused because searching for example for sourcetype=top in the search app bring up results from the os index as well, whereas for other indexes I need to manually specify the index to search.

0 Karma
1 Solution

danielpellarini
Path Finder

For some reason, in this case the os index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top will search the os index and not the main index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.

A quick search for index=main sourcetype=top showed that the *NIX app data is not sent to the main index.

View solution in original post

danielpellarini
Path Finder

For some reason, in this case the os index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top will search the os index and not the main index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.

A quick search for index=main sourcetype=top showed that the *NIX app data is not sent to the main index.

danielpellarini
Path Finder

@sowings yep, that was it. Thanks for the comment 🙂

0 Karma

lukejadamec
Super Champion

You're right. Both main and os were in my role. Removing os removed the behavior.

0 Karma

sowings
Splunk Employee
Splunk Employee

The behavior you're describing is related to the "indexed searched by default" for your user role. The os index has probably been added to that list for your role, so you don't have to type it in; it's searched automatically. Note that you can still expressly include it in your search terms (and then you'd search only that index).

lukejadamec
Super Champion

Makes sense, that what I see also. Not sure why that is. My other custom indexes need to be specifically called out in the search.

0 Karma

danielpellarini
Path Finder

@lukejadamec As far as I can tell, all the inputs and sourcetypes I have enabled in the NIX app end up in the main index too. I haven't checked them all, but all of the inputs I have checked behave like this, and it started immediately after configuring the NIX app.

0 Karma

sowings
Splunk Employee
Splunk Employee

The scripted inputs may send the diagnostic output from their scripts (e.g. "df", "top", etc) to the default database. I would check the inputs.conf definition for the script:: inputs to see if they include an index definition.

sowings
Splunk Employee
Splunk Employee

So if you were to search for "(index=main OR index=os) sourcetype=df"*, you'd get records for the same host in both indexes? And for the same time?

* Here, use a sourcetype appropriate for what you've enabled in your environment, df was just an example.

0 Karma

danielpellarini
Path Finder

Hi sowings, thank you for your answer. The inputs.conf file contains the line index=os for every input stanza.

0 Karma

lukejadamec
Super Champion

I'm not seeing this behavior. Can you be more specific regarding the event source/sourcetypes that are being indexed in main?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...