Customize agents status indexation
The Wazuh app for Splunk has the ability to collect and index agents' status data periodically. This information is stored on a separate index called wazuh-monitoring-3x
. It comes enabled by default, but it's possible to disable it or adjust the polling frequency.
Warning
At this moment, this feature only works when Splunk is installed using the single-instance mode.
To do this, open the inputs file located at /opt/splunk/etc/apps/SplunkAppForWazuh/default/inputs.conf
. The [script]
section includes the following basic configuration:
[script:///opt/splunk/etc/apps/SplunkAppForWazuh/bin/get_agents_status.py]
disabled = false
index = wazuh-monitoring-3x
interval = 0 * * * *
sourcetype = _json
To disable the indexation of agents' status data, change the
disabled
field to true.By default, the script is configured to fetch and index agents' status data every hour.
The
interval
field can be configured using a decimal number or a cron schedule.If you specify the interval as a number, it may have a fractional component; for example, 3.14
To specify a cron schedule, use the following format:
<minute> <hour> <day of month> <month> <day of week>
Cron special characters are acceptable. You can use combinations of
*
,,
,/
, and-
to specify wildcards, separate values, specify ranges of values, and step values.
Warning
Although the default interval value can be 60.0
seconds, we recommend a minimum frequency of one hour to avoid overloading issues due to the excessive creation of data into the index.
Save the file when you're done editing it, and restart Splunk:
# /opt/splunk/bin/splunk restart
Note
You can find useful information about the inputs.conf
file in the official documentation.