Customize agents status indexation

The Wazuh app for Splunk has the ability to collect and index agents’ status data periodically. This information is stored on a separate index called wazuh-monitoring. It comes enabled by default, but it’s possible to disable it or adjust the polling frequency.

Warning

At this moment, this feature only works when Splunk is installed using the minimal Splunk distributed architecture mode.

Open the inputs file located at /opt/splunk/etc/apps/SplunkAppForWazuh/default/inputs.conf. The [script] section includes the following basic configuration:

[script:///opt/splunk/etc/apps/SplunkAppForWazuh/bin/get_agents_status.py]
disabled = false
index = wazuh-monitoring
interval = 0 * * * *
sourcetype = _json

To disable the indexation of agents' status data, change the disabled field to true.
By default, the script is configured to fetch and index agents' status data every hour.
The interval field can be configured using a decimal number or a cron schedule.
- If you specify the interval as a number, it may have a fractional component; for example, 3.14
- To specify a cron schedule, use the following format: <minute> <hour> <day of month> <month> <day of week>
- Cron special characters are acceptable. You can use combinations of *, ,, /, and - to specify wildcards, separate values, specify ranges of values, and step values.
Warning

Although the default interval value can be 60.0 seconds, we recommend a minimum frequency of one hour to avoid overloading issues due to the excessive creation of data into the index.
Save the file when you're done editing it, and restart Splunk:
```
# /opt/splunk/bin/splunk restart
```

Note

You can find useful information about the inputs.conf file in the official documentation.