i am creating a Splunk app. How do i define only a particular index to be used by the app. Only a particular index must be accessed from the app. where do i define the configurations.
asked 26 Apr '12, 06:11
You can set this up by creating an index.conf in $SPLUNK_HOME/etc/apps/<your_app_name>/default and adding an index configuration there.
answered 26 Apr '12, 06:14
In inputs.conf you'll define the index you want for all of your inputs. In indexex.conf you will define where the index is stored.
[yourindex] homePath = $SPLUNK_DB/yourindex/db coldPath = $SPLUNK_DB/yourindex/colddb thawedPath = $SPLUNK_DB/yourindex/thaweddb maxTotalDataSizeMB = 10000
Then in all of your app searches and reports they will reference your index (start with index=yourindex). There is no way to assign an index to an app that i am aware of similar to how you can assign indexes to roles.
answered 26 Apr '12, 06:44