|
i am creating a Splunk app. How do i define only a particular index to be used by the app. Only a particular index must be accessed from the app. where do i define the configurations. |
|
You can set this up by creating an index.conf in $SPLUNK_HOME/etc/apps/<your_app_name>/default and adding an index configuration there. Brian |
|
In inputs.conf you'll define the index you want for all of your inputs. In indexex.conf you will define where the index is stored. [yourindex] homePath = $SPLUNK_DB/yourindex/db coldPath = $SPLUNK_DB/yourindex/colddb thawedPath = $SPLUNK_DB/yourindex/thaweddb maxTotalDataSizeMB = 10000 Then in all of your app searches and reports they will reference your index (start with index=yourindex). There is no way to assign an index to an app that i am aware of similar to how you can assign indexes to roles. i want to configure app such that i listens to data from particular index. Objective is to provide users accessing app access data from particular index. what is the other way i can do this.
(26 Apr '12, 07:02)
manikdham
You can put in comments underneath the answers rather than creating a new answer. You create the app, which is only going to have views and dashboards on your index. Then you will create a user role that only has access to that index and give those users access to your app as well.
(26 Apr '12, 07:05)
sdaniels ♦
|
in which file do i make the changes....