How to Change the Default Index of *NIX App

To change the way the *NIX app indexes its inputs

Make a copy of inputs.conf in the local directory for the *NIX app. You may need to create the directory first.

cp $SPLUNK_HOME/etc/apps/unix/default/inputs.conf $SPLUNK_HOME/etc/apps/unix/local/

Edit the copy of inputs.conf in the local directory as follows:

1. For each stanza, remove all the lines EXCEPT index = os and disabled
2. Change index = os to index = main (or any existing index of your choice)
3. Make sure that disabled is set to false (or zero)

Example:

[monitor:///var/log]
_whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out)
_blacklist=(lastlog)
index=os
disabled = 1

Would become

[monitor:///var/log]
index=main
disabled = false

You can also do this via the Splunk Manager GUI

Change the *NIX eventtypes and saved searches

There are a number of eventtypes and saved searches that are provided with the *NIX app. Some of them contain "index=os" as part of their search. You can simply remove this term from the search, and Splunk will search all indexes that are visible to the user. You can do this via the Splunk Manager GUI.

It is probably better to use the "clone" mechanism to create a custom version of each of the redefined eventtypes, so that your changes are not overwritten by subsequent Splunk releases.

well, I don't think the problem is the inputs, but the pre-created reports. I have the same issue with the Windows application, I'd like to have it in a different index, but all the other files for the app need to be changed as well (not the inputs, but the files for the UI, saved searches etc.)