The script doesn't actually generate any data that is output into Splunk, it actually handles pulling down data from your InterMapper server and then rebuilding your dashboards every 15 seconds. You can adjust this time based on how busy or active your network is but it will affect how often the map image is updated.

So, that said. Your change won't survive an update as it shouldn't be outputting anything but I've found the line responsible (debug information that shouldn't still be writing out) and will put up an update tomorrow that fixes it 🙂 All inputs should be correctly identified as sourcetype=InterMapper and these are generated from your syslog notifications from InterMapper.

Other than index _internal, you don't really want things to be put into their own indexes, indexes should be used for role based, customer based data separatation or for secure data to reside separately from the rest of your data. There is no added benefit to having many indexes for different apps as if the data levels are too low then you can end up negatively affecting performance.

Ok, so I did some digging and I found that there was no index set in $SPLUNK_HOME/etc/apps/InterMapper/default/inputs.conf.

I added this to that inputs.conf:

[script://$SPLUNK_HOME/etc/apps/InterMapper/bin/cmdPortlookup.py]
index = _internal

[script://$SPLUNK_HOME/etc/apps/InterMapper/bin/loadImData.py]
index = _internal

Is there a reason there was no index provided? Is this going to cause any issues if I add one? Will it survive an upgrade or should I put these changes in a different file that isn't overwritten at upgrade time?