Can we configure the Splunk App for Unix and Linux...

pgsplunk91 · ‎10-16-2015

What I want is to make the Splunk App for Unix and Linux search two indexes: one is by default the 'os' index and another index of my choice. Is it possible?

davebo1896 · ‎10-16-2015

Add this into local/macros.conf
[os_index]
definition = index=os OR index=myindex

michaelsimko · ‎10-16-2015

Yes, you can make the SA_nix search two indexes.

To do this, you are going to need to edit local versions of two files, and then restart Splunk. I included example folders, but your structure may vary.

Step 1: Create a local folder under the SA_nix app (example: /opt/splunk/etc/apps/SA_nix/local).

Step 2: From SA_nix, copy (while keeping the same permissions) both savedsearches.conf and macros.conf from the SA_nix/default directory and into SA_nix/local.
(example: cp -rp /opt/splunk/etc/apps/SA_nix/default/macros.conf /opt/splunk/etc/apps/SA_nix/local/).

Step 3: Edit local/macros.conf to include your desired index
Delete everything in the file
Add the following:

[os_index]
definition = (index=”os” index=”YOURNEWINDEX”)

Example:
[os_index]
definition = (index=”os” OR index=”otherlinuxgoo”)

Step 4: Edit local/savedsearches.conf
Delete everything in the file
Add the following:

[os_index]
[UNIX - Timechart Config Changes]
search = (index="os" OR index=”YOURNEWINDEX”) eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist

Example:
[UNIX - Timechart Config Changes]
search = (index="os" OR index=”otherlinuxgoo”) eventtype="nix_configs" | strcat source "@" host changelist | timechart count by changelist

Step 5: Restart Splunk

Step 6: Validate it worked.

Can we configure the Splunk App for Unix and Linux to search multiple indexes without creating multiple versions of the app?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases