How to Change uberAgent’s Splunk Index Name
By default, uberAgent sends the data it collects to the Splunk index uberagent.
The index uberagent is created in the indexer app uberAgent_indexer. The file
default\indexes.conf contains the relevant definitions.
If you want to change the index name, you need to do so in the following places:
- uberAgent configuration (see below)
The index uberAgent sends the collected data to can be configured in uberAgent’s configuration with the setting Index.
The index searched in the dashboards can be configured through the uberAgent_index stanza in the file
macros.conf of the dashboard (search head) app. The default is as follows:
definition = uberagent*
The index searched for the event type uberAgent_index_query can be configured through the uberAgent_index_query stanza in the file
eventtypes.conf of the dashboard (search head) apps. The default is as follows:
search = index=uberagent*