uberAgent

How to Change uberAgent’s Splunk Index Name

By default, uberAgent sends the data it collects to the Splunk index uberagent.

How is the index created

The index uberagent is created in the indexer app uberAgent_indexer. The file default\indexes.conf contains the relevant definitions.

How to change the index name

If you want to change the index name, you need to do so in the following places:

  • indexes.conf (see above)
  • uberAgent configuration (see below)
  • macros.conf (see below)
  • eventtypes.conf (see below)

uberAgent configuration

The index uberAgent sends the collected data to can be configured in uberAgent’s configuration with the setting Index.

Macros.conf

The index searched in the dashboards can be configured through the uberAgent_index stanza in the file macros.conf of the dashboard (search head) app. The default is as follows:

[uberAgent_index]
definition = uberagent*
<!--NeedCopy-->

Eventtypes.conf

The index searched for the event type uberAgent_index_query can be configured through the uberAgent_index_query stanza in the file eventtypes.conf of the dashboard (search head) apps. The default is as follows:

[uberAgent_index_query]
search = index=uberagent*
<!--NeedCopy-->
How to Change uberAgent’s Splunk Index Name