Customize agents status indexation

The Wazuh app for Splunk has the ability to collect and index agents' status data periodically. This information is stored on a separate index called wazuh-monitoring-3x. It comes enabled by default, but it's possible to disable it or adjust the polling frequency.

Warning

At this moment, this feature only works when Splunk is installed using the single-instance mode.

To do this, open the inputs file located at /opt/splunk/etc/apps/SplunkAppForWazuh/default/inputs.conf. The [script] section includes the following basic configuration:

[script:///opt/splunk/etc/apps/SplunkAppForWazuh/bin/get_agents_status.py]
disabled = false
index = wazuh-monitoring-3x
interval = 0 * * * *
sourcetype = _json
  • To disable the indexation of agents' status data, change the disabled field to true.

  • By default, the script is configured to fetch and index agents' status data every hour.

  • The interval field can be configured using a decimal number or a cron schedule.

    • If you specify the interval as a number, it may have a fractional component; for example, 3.14

    • To specify a cron schedule, use the following format: <minute> <hour> <day of month> <month> <day of week>

    • Cron special characters are acceptable. You can use combinations of *, ,, /, and - to specify wildcards, separate values, specify ranges of values, and step values.

Warning

Although the default interval value can be 60.0 seconds, we recommend a minimum frequency of one hour to avoid overloading issues due to the excessive creation of data into the index.

Save the file when you're done editing it, and restart Splunk:

# /opt/splunk/bin/splunk restart

Note

You can find useful information about the inputs.conf file in the official documentation.