Customize agents status indexation¶
The Wazuh app for Splunk has the ability to collect and index agents’ status data periodically. This information is stored on a separate index called
wazuh-monitoring-3x. It comes enabled by default, but it’s possible to disable it or adjust the polling frequency.
At this moment, this feature only works when Splunk is installed using the single-instance mode.
To do this, open the inputs file located at
[script] section includes the following basic configuration:
[script:///opt/splunk/etc/apps/SplunkAppForWazuh/bin/get_agents_status.py] disabled = false index = wazuh-monitoring-3x interval = 0 * * * * sourcetype = _json
- To disable the indexation of agents’ status data, change the
disabledfield to true.
- By default, the script is configured to fetch and index agents’ status data every hour.
intervalfield can be configured using a decimal number or a cron schedule.
- If you specify the interval as a number, it may have a fractional component; for example, 3.14
- To specify a cron schedule, use the following format:
<minute> <hour> <day of month> <month> <day of week>
- Cron special characters are acceptable. You can use combinations of
-to specify wildcards, separate values, specify ranges of values, and step values.
Although the default interval value can be
60.0 seconds, we recommend a minimum frequency of one hour to avoid overloading issues due to the excessive creation of data into the index.
Save the file when you’re done editing it, and restart Splunk:
# /opt/splunk/bin/splunk restart
You can find useful information about the
inputs.conf file in the official documentation.