Splunk® Supported Add-ons

Splunk Add-ons

Add-ons and indexes

The Splunk platform stores the data that it collects in indexes. Understanding Splunk indexes is important for ensuring good performance when you search, for setting retention policies, and for providing data security (controlling who has access to the data). Out of the box, all data collected by Splunk supported add-ons is indexed to the default Splunk index, main. Splunk administrators are encouraged to change the index that is used for the source types in the add-on from the default index to another index that will meet the retention requirements and user access needs for this data source.

You can change the index that is used for the data source when configuring the add-on. Some add-ons include a setup page that allows you to specify the index to send your data to. Note that these setup pages can only list indexes that are locally configured on that node. For add-ons that do not include a setup page, or for hosts that cannot list the desired index, you can edit the inputs.conf file directly to specify the index to use for the data collected by the input. To do this, add the following line to the input's stanza in inputs.conf on the Splunk platform component where the data is entering the system, usually a forwarder:

index = <index_name>

Note that you must first create the index and ensure that it is in place on all nodes that may receive data before data from the add-on can be routed to it.

See Set up multiple indexes in the Managing Indexers and Clusters of Indexers manual for more information about creating and using indexes.

Last modified on 21 July, 2021
Source types for add-ons   Syslog and timestamps

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters