How to Change the Default Index of *NIX App

klkumar10 · ‎07-15-2010

I have created several indexs based on the Flavour of UNIX like linux, solaris, sco-unix, esx.

Now I want to use these indexes in *NIX app.

But presently I can not make use of the *NIX app, as its checking for data in the index "os".

Can someone guide me how to configure *NIX app to use multiple indexes or atleast 1 index instead of the default "os".

terry_reece · ‎12-14-2012

You can also create multiple versions of the Unix App if you need to, and configure each one for specific indexes. What I've done is copy the contents of the /opt/splunk/etc/apps/unix folder to /opt/splunk/etc/apps/unix2 folder. You can name the destination folder whatever way you want to track what it, doesn't matter to Splunk.

To change the name of the App in the GUI, you edit the /opt/splunk/etc/apps/unix2/default/app.conf file as follows:

[launcher]
version = 4.6
description = This is a useful app for helping monitor, manage, and troubleshoot *nix platforms. This app comes with set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration, and user info. It also provides convenient dashboards, form searches, and alerts to make getting started with Splunk a breeze.
author = Splunk, Inc.

[ui]
is_visible = true
label = Unix App for Group A

[install]
state = enabled
is_configured = false
build = 133346

[package]
id = unix

The line label = is where you change the display name in the Apps drop down menu.

Once you do that, you copy the inputs.conf from /opt/splunk/etc/apps/unix2/default to /opt/splunk/etc/apps/unix2/local and modify the index for each stanza to the appropriate index you want to use. In this example, we used UnixGroupA as the index. For example:

### bash history
[monitor:///root/.bash_history]
disabled = true
sourcetype = bash_history
index = UnixGroupA

Once that's done, you have to modify the saved searches for the App so they default to the correct index for this instance of the App. You will want to copy the /opt/splunk/etc/apps/unixtest/default/savedsearches.conf to the /opt/splunk/etc/apps/unixtest/local directory and modify that version.

The easiest way to accomplish this is to use vi (or whatever editor you prefer) and replace all of the index=os strings to index=NewIndexName, which is UnixGroupA in this case.

For vi, you would use the following:

:%s/index=os/index=UnixGroupA/g

Save the contents of that file and restart Splunk. You can then access the new instance of the app from the Apps menu, and the saved searches will use the correct index for this instance of the app.

There are some other references in various files, such as /opt/splunk/etc/apps/unix2/appserver/static that contains HTML files with references to index=os. Searching through and replacing those to the appropriate index would be a good idea as well.

Also, by default, the search bar and some other items are prepopulated with index=os, that can be changed by modifying the files in /opt/splunk/etc/apps/unix2/default/data/ui/views

Use the following commands to modify all the files by replacing index=os with index=UnixGroupA, or index="OS" with index="UnixGroupA"

find . -name "*.xml" -print | xargs sed -i 's/index="os"/index="UnixGroupA"/g'

You can also do this for any other files throughout the app's directories to replace the index=OS or index="OS" strings.

Another option is to search for the known default index name through the directory structure of the app. In this case you would issue the commands:

find /opt/splunk/etc/apps/unix2 -type f | xargs perl -pi -e 's/index=os/index=UnixGroupA/g'
find /opt/splunk/etc/apps/unix2 -type f | xargs perl -pi -e 's/index="os"/index="UnixGroupA"/g'

This will replace any instance of index=os in the app's directory structure with the correct index name.

The static links in the web code will also need to be changed. In /opt/splunk/etc/apps/unix2/appserver/static/welcome.html there are links similar to this:

<a href="/app/unix/flashtimeline?s=netstat">netstat</a>

This will need to be changed to reflect the correct path to the app we've modified. You can replace using vi for the welcome.html by doing the following in vi:

:%s/\/app\/unix/\/app\/unix2/g

This will replace all instances of /app/unix with /app/unix2 which will make all of the links under the About Splunk page for the Unix App work correctly.

That's it!

mikelanghorst · ‎11-23-2010

well, I don't think the problem is the inputs, but the pre-created reports. I have the same issue with the Windows application, I'd like to have it in a different index, but all the other files for the app need to be changed as well (not the inputs, but the files for the UI, saved searches etc.)

lguinn2 · ‎07-15-2010

To change the way the *NIX app indexes its inputs

Make a copy of inputs.conf in the local directory for the *NIX app. You may need to create the directory first.

cp $SPLUNK_HOME/etc/apps/unix/default/inputs.conf $SPLUNK_HOME/etc/apps/unix/local/

Edit the copy of inputs.conf in the local directory as follows:

For each stanza, remove all the lines EXCEPT index = os and disabled
Change index = os to index = main (or any existing index of your choice)
Make sure that disabled is set to false (or zero)

Example:

[monitor:///var/log]
_whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out)
_blacklist=(lastlog)
index=os
disabled = 1

Would become

[monitor:///var/log]
index=main
disabled = false

You can also do this via the Splunk Manager GUI

Change the *NIX eventtypes and saved searches

There are a number of eventtypes and saved searches that are provided with the *NIX app. Some of them contain "index=os" as part of their search. You can simply remove this term from the search, and Splunk will search all indexes that are visible to the user. You can do this via the Splunk Manager GUI.

It is probably better to use the "clone" mechanism to create a custom version of each of the redefined eventtypes, so that your changes are not overwritten by subsequent Splunk releases.