I have just realized that the NIX app is sending data to the os
index (which is correct) but **also* to the main
index.
Is this normal behavior? I was expecting the app to send data to the os
index only, since it is created exactly for this purpose...
Update: My mistake, the app correctly sends the data to the os
index only, I got confused because searching for example for sourcetype=top
in the search app bring up results from the os
index as well, whereas for other indexes I need to manually specify the index to search.
For some reason, in this case the os
index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top
will search the os
index and not the main
index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.
A quick search for index=main sourcetype=top
showed that the *NIX app data is not sent to the main
index.
For some reason, in this case the os
index gets searched even if you don't specify it explicitly, which means that searching for sourcetype=top
will search the os
index and not the main
index. This doesn't happen with other indexes, which I manually have to type in the search bar in order to search data inside them.
A quick search for index=main sourcetype=top
showed that the *NIX app data is not sent to the main
index.
@sowings yep, that was it. Thanks for the comment 🙂
You're right. Both main and os were in my role. Removing os removed the behavior.
The behavior you're describing is related to the "indexed searched by default" for your user role. The os index has probably been added to that list for your role, so you don't have to type it in; it's searched automatically. Note that you can still expressly include it in your search terms (and then you'd search only that index).
Makes sense, that what I see also. Not sure why that is. My other custom indexes need to be specifically called out in the search.
@lukejadamec As far as I can tell, all the inputs and sourcetypes I have enabled in the NIX app end up in the main index too. I haven't checked them all, but all of the inputs I have checked behave like this, and it started immediately after configuring the NIX app.
The scripted inputs may send the diagnostic output from their scripts (e.g. "df", "top", etc) to the default database. I would check the inputs.conf definition for the script:: inputs to see if they include an index definition.
So if you were to search for "(index=main OR index=os) sourcetype=df"*, you'd get records for the same host in both indexes? And for the same time?
* Here, use a sourcetype appropriate for what you've enabled in your environment, df was just an example.
Hi sowings, thank you for your answer. The inputs.conf
file contains the line index=os
for every input stanza.
I'm not seeing this behavior. Can you be more specific regarding the event source/sourcetypes that are being indexed in main?