The Wazuh app for Splunk has the ability to collect and index agents’ status data periodically. This information is stored on a separate index called
wazuh-monitoring. It comes enabled by default, but it’s possible to disable it or adjust the polling frequency.
At this moment, this feature only works when Splunk is installed using the minimal Splunk distributed architecture mode.
Open the inputs file located at
[script]section includes the following basic configuration:
[script:///opt/splunk/etc/apps/SplunkAppForWazuh/bin/get_agents_status.py] disabled = false index = wazuh-monitoring interval = 0 * * * * sourcetype = _json
To disable the indexation of agents' status data, change the
disabledfield to true.
By default, the script is configured to fetch and index agents' status data every hour.
intervalfield can be configured using a decimal number or a cron schedule.
If you specify the interval as a number, it may have a fractional component; for example, 3.14
To specify a cron schedule, use the following format:
<minute> <hour> <day of month> <month> <day of week>
Cron special characters are acceptable. You can use combinations of
-to specify wildcards, separate values, specify ranges of values, and step values.
Although the default interval value can be
60.0seconds, we recommend a minimum frequency of one hour to avoid overloading issues due to the excessive creation of data into the index.
Save the file when you're done editing it, and restart Splunk:
# /opt/splunk/bin/splunk restart
You can find useful information about the
inputs.conf file in the official documentation.