@genesiusj splunk_app_for_nix is the application that holds all of the dashboards / lookups / savedsearches etc. This would be what is on your search head. Your indexer will have the Splunk Add-on for Unix and Linux a.k.a Splunk_TA_nix . This is present in your list under the $SPLUNK_HOME/etc/apps . The app comes with all the prebuilt dashboards and saved searches that use a macro to specify which index to find the *nix data. You may have used a custom index, or just used the default index=os . In order for the app
splunk_app_for_nix to know where the data resides, you can follow the directions on splunkbase to edit the macro specified. Its important to remember that apps almost always reside on the search heads and contain knowledge objects. TAs on the other hand could reside on a SH / HF / IDX / UF. Where and when these are required depends on what you are looking to do with the data.s
... View more